๐ฅ๏ธ Computer Science/Web
[๋๋ฆผํต(Dreamhack)] pathtraversal
Rosieblue
2023. 9. 28. 18:01
728x90
#!/usr/bin/python3
from flask import Flask, request, render_template, abort
from functools import wraps
import requests
import os, json
users = {
'0': {
'userid': 'guest',
'level': 1,
'password': 'guest'
},
'1': {
'userid': 'admin',
'level': 9999,
'password': 'admin'
}
}
def internal_api(func):
@wraps(func)
def decorated_view(*args, **kwargs):
if request.remote_addr == '127.0.0.1':
return func(*args, **kwargs)
else:
#์ ๊ทผํ ์ฃผ์๊ฐ ๋ก์ปฌ์ด ์๋๊ฒฐ์ฐ abort
abort(401)
return decorated_view
app = Flask(__name__)
app.secret_key = os.urandom(32)
API_HOST = 'http://127.0.0.1:8000'
try:
FLAG = open('./flag.txt', 'r').read() # Flag is here!!
except:
FLAG = '[**FLAG**]'
@app.route('/')
def index():
return render_template('index.html')
@app.route('/get_info', methods=['GET', 'POST'])
def get_info():
if request.method == 'GET':
return render_template('get_info.html')
elif request.method == 'POST':
userid = request.form.get('userid', '')
info = requests.get(f'{API_HOST}/api/user/{userid}').text
return render_template('get_info.html', info=info)
@app.route('/api')
@internal_api
def api():
return '/user/<uid>, /flag'
@app.route('/api/user/<uid>')
@internal_api
def get_flag(uid):
try:
info = users[uid]
except:
info = {}
return json.dumps(info)
@app.route('/api/flag')
@internal_api
def flag():
return FLAG
application = app # app.run(host='0.0.0.0', port=8000)
# Dockerfile
# ENTRYPOINT ["uwsgi", "--socket", "0.0.0.0:8000", "--protocol=http", "--threads", "4", "--wsgi-file", "app.py"]
pathtraversal ์๋ํด๋ ์๋๊ธธ๋ html์ฝ๋๋ฅผ ๋ฏ์ด๋ดค๋๋ ๋ค์๊ณผ ๊ฐ์ js ์ฝ๋๊ฐ ์์๋ค
form์์ submit๋ฅผ ํ๋ฉด user ์ด๋ฒคํธ ๋ฆฌ์ค๋๊ฐ ์คํ๋๋ค
element.addEventListener(event, function, useCapture)
userid๊ฐ 0์ผ๋ก ์ ๋ฌ ๋๊ณ ์์๋ค
์๋ฒ๋ก ์ ๋ฌ๋๊ธฐ ์ ์ ์ฐ๋ฆฌ๊ฐ ๋ง์์ event listener๊ฐ ์คํ๋๋ ๋ชจ์ต์ ๋ณผ ์ ์์๋ค
์ด๊ฑธ ํตํด ์๋ง event listener๊ฐ ๋จผ์ ์คํ๋๋๊ฒ์..?์์ ์์๋ ๊ฒ ๊ฐ๊ธฐ๋..?ํ์....
When you submit the form, the submit event is fired before the request is sent to the server. This gives you a chance to validate the form data. If the form data is invalid, you can stop submitting the form.
์ฆ form์ submitํ๋ฉด ์๋ฒ๋ก ์ ์ก๋๊ธฐ ์ ์ submit์ด๋ฒคํธ๊ฐ ๋๋๋๋ฏ?
element.addEventListener(event, function, useCapture)
https://www.codingfactory.net/12175
๋ฐ๋ผ์ ๋ฒํ ์ค์ํธ๋ก userid๋ฅผ ์กฐ์ํด์ ๋ณด๋ด๋ฉด ๋ ๊ฒ ๊ฐ๋ค
๊ทธ๋์ ๋ฒํ ์ค์ํธ๋ก ../flag์ ๋ณด๋ด์คฌ๋๋ ๋์๋น