赞
踩
上周六无意看到有个比赛,本菜鸡参加学习了下,也没有做出几道题目,第一次做个记录push下自己,向大佬学习Orz
题目链接
考察点->【python伪随机数、Pyyaml反序列化、Session伪造、任意文件读取】
app/app.py -> %61%70%70/%61%70%70%2E%70%79 --> %2561%2570%2570/%2561%2570%2570%252E%2570%2579
成功读取到的源码 app.py
调整下格式
# encoding:utf-8 import os import requests import re, random, uuid from flask import * from werkzeug.utils import * import yaml #问题所在 pyyaml反序列化 from urllib.request import urlopen app = Flask(__name__) random.seed(uuid.getnode()) app.config['SECRET_KEY'] = str(random.random() * 233) app.debug = False BLACK_LIST = ["yaml", "YAML", "YML", "yml", "yamiyami"] app.config['UPLOAD_FOLDER'] = "/app/uploads" @app.route('/')
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。