@app.route('/upload', methods=['GET', 'POST']) defupload(): token = request.cookies.get('token') ifnot token: flash('Please login first', 'warning') return redirect(url_for('login')) payload = decode_jwt(token) form = UploadForm() ifnot payload or payload['username'] != 'admin': error_message = 'You do not have permission to access this page.Your username is not admin.' return render_template('upload.html', form=form, error_message=error_message, username=payload['username']) ifnot session['role'] or session['role'] != 'admin': error_message = 'You do not have permission to access this page.Your role is not admin.' return render_template('upload.html', form=form, error_message=error_message, username=payload['username']) if form.validate_on_submit(): file = form.avatar.data if file: filename = secure_filename(file.filename) files = {'file': (filename, file.stream, file.content_type)} php_service_url = 'http://127.0.0.1/upload.php' response = requests.post(php_service_url, files=files) if response.status_code == 200: flash(response.text, 'success') else: flash('Failed to upload file to PHP service', 'danger') return render_template('upload.html', form=form)
@app.route('/view_uploads', methods=['GET', 'POST']) defview_uploads(): token = request.cookies.get('token') form = GameForm() ifnot token: error_message = 'Please login first' return render_template('view_uploads.html', form=form, error_message=error_message) payload = decode_jwt(token) ifnot payload: error_message = 'Invalid or expired token. Please login again.' return render_template('view_uploads.html', form=form, error_message=error_message) ifnot payload['username']=='admin': error_message = 'You do not have permission to access this page.Your username is not admin' return render_template('view_uploads.html', form=form, error_message=error_message) user_input = None if form.validate_on_submit(): filepath = form.user_input.data pathurl = request.form.get('path') if ("www.testctf.com"notin pathurl) or ("127.0.0.1"in pathurl) or ('/var/www/html/uploads/'notin filepath) or ('.'in filepath): error_message = "www.testctf.com must in path and /var/www/html/uploads/ must in filepath." return render_template('view_uploads.html', form=form, error_message=error_message) params = {'s': filepath} try: response = requests.get("http://"+pathurl, params=params, timeout=1) return render_template('view_uploads.html', form=form, user_input=response.text) except: error_message = "500! Server Error" return render_template('view_uploads.html', form=form, error_message=error_message) return render_template('view_uploads.html', form=form, user_input=user_input)
通过upload是可以把payload上传到 upload目录下面
通过view-upload可以读取
1 2 3 4 5 6
POST /view_uploads HTTP/1.1 Host: 123.zeuo.dg01.ciihw.cn:45732 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 ......