๐Ÿ–ฅ๏ธ Computer Science/Web

[๋“œ๋ฆผํ•ต(Dreamhack)] pathtraversal

Rosieblue 2023. 9. 28. 18:01
728x90
#!/usr/bin/python3
from flask import Flask, request, render_template, abort
from functools import wraps
import requests
import os, json

users = {
    '0': {
        'userid': 'guest',
        'level': 1,
        'password': 'guest'
    },
    '1': {
        'userid': 'admin',
        'level': 9999,
        'password': 'admin'
    }
}

def internal_api(func):
    @wraps(func)
    def decorated_view(*args, **kwargs):
        if request.remote_addr == '127.0.0.1':
            return func(*args, **kwargs)
           
        else:
        #์ ‘๊ทผํ•œ ์ฃผ์†Œ๊ฐ€ ๋กœ์ปฌ์ด ์•„๋‹๊ฒฐ์šฐ abort
            abort(401)
    return decorated_view

app = Flask(__name__)
app.secret_key = os.urandom(32)
API_HOST = 'http://127.0.0.1:8000'

try:
    FLAG = open('./flag.txt', 'r').read() # Flag is here!!
except:
    FLAG = '[**FLAG**]'

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/get_info', methods=['GET', 'POST'])
def get_info():
    if request.method == 'GET':
        return render_template('get_info.html')
    elif request.method == 'POST':
        userid = request.form.get('userid', '')
        info = requests.get(f'{API_HOST}/api/user/{userid}').text
        return render_template('get_info.html', info=info)

@app.route('/api')
@internal_api
def api():
    return '/user/<uid>, /flag'

@app.route('/api/user/<uid>')
@internal_api
def get_flag(uid):
    try:
        info = users[uid]
    except:
        info = {}
    return json.dumps(info)

@app.route('/api/flag')
@internal_api
def flag():
    return FLAG

application = app # app.run(host='0.0.0.0', port=8000)
# Dockerfile
#     ENTRYPOINT ["uwsgi", "--socket", "0.0.0.0:8000", "--protocol=http", "--threads", "4", "--wsgi-file", "app.py"]

 

 

pathtraversal ์‹œ๋„ํ•ด๋„ ์•ˆ๋˜๊ธธ๋ž˜ html์ฝ”๋“œ๋ฅผ ๋œฏ์–ด๋ดค๋”๋‹ˆ ๋‹ค์Œ๊ณผ ๊ฐ™์€ js ์ฝ”๋“œ๊ฐ€ ์žˆ์—ˆ๋‹ค

form์—์„œ submit๋ฅผ ํ•˜๋ฉด user ์ด๋ฒคํŠธ ๋ฆฌ์Šค๋„ˆ๊ฐ€ ์‹คํ–‰๋œ๋‹ค

element.addEventListener(event, function, useCapture)

 

 

 
userid๊ฐ€ 0์œผ๋กœ ์ „๋‹ฌ ๋˜๊ณ  ์žˆ์—ˆ๋‹ค
์„œ๋ฒ„๋กœ ์ „๋‹ฌ๋˜๊ธฐ ์ „์— ์šฐ๋ฆฌ๊ฐ€ ๋ง‰์•„์„œ event listener๊ฐ€ ์‹คํ–‰๋˜๋Š” ๋ชจ์Šต์„ ๋ณผ ์ˆ˜ ์žˆ์—ˆ๋‹ค
์ด๊ฑธ ํ†ตํ•ด ์•„๋งˆ event listener๊ฐ€ ๋จผ์ € ์‹คํ–‰๋˜๋Š”๊ฒƒ์„..?์•Œ์ˆ˜ ์žˆ์—ˆ๋˜ ๊ฒƒ ๊ฐ™๊ธฐ๋„..?ํ์Œ....
 
 

When you submit the form, the submit event is fired before the request is sent to the server. This gives you a chance to validate the form data. If the form data is invalid, you can stop submitting the form.

์ฆ‰ form์„ submitํ•˜๋ฉด ์„œ๋ฒ„๋กœ ์ „์†ก๋˜๊ธฐ ์ „์— submit์ด๋ฒคํŠธ๊ฐ€ ๋๋‚˜๋Š๋“ฏ?

 
 
element.addEventListener(event, function, useCapture)
 

 

 

Return false on addEventListener submit still submits the form?

var form = document.forms[0]; form.addEventListener("submit", function(){ var email = form.elements['answer_13829'].value; if( email == 'geobraks@yahoo.ca') { alert('redirecting the user....

stackoverflow.com

https://www.codingfactory.net/12175

 

๋”ฐ๋ผ์„œ ๋ฒ„ํ”„ ์Šค์œ„ํŠธ๋กœ userid๋ฅผ ์กฐ์ž‘ํ•ด์„œ ๋ณด๋‚ด๋ฉด ๋  ๊ฒƒ ๊ฐ™๋‹ค

 

๊ทธ๋ž˜์„œ ๋ฒ„ํ”„ ์Šค์œ„ํŠธ๋กœ ../flag์„ ๋ณด๋‚ด์คฌ๋”๋‹ˆ ๋‚˜์™”๋‹น