๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : file-download-1

์„ ๋‹ฌ 2023. 7. 14. 23:26
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/37/

 

file-download-1

File Download ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์›น ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. flag.py๋ฅผ ๋‹ค์šด๋กœ๋“œ ๋ฐ›์œผ๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Reference Introduction of Webhacking

dreamhack.io

 

๋ฌธ์ œ

File Download ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์›น ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.
flag.py๋ฅผ ๋‹ค์šด๋กœ๋“œ ๋ฐ›์œผ๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋ฌธ์ œํŒŒ์ผ

๋”๋ณด๊ธฐ 
#!/usr/bin/env python3
import os
import shutil

from flask import Flask, request, render_template, redirect

from flag import FLAG

APP = Flask(__name__)

UPLOAD_DIR = 'uploads'


@APP.route('/')
def index():
    files = os.listdir(UPLOAD_DIR)
    return render_template('index.html', files=files)


@APP.route('/upload', methods=['GET', 'POST'])
def upload_memo():
    if request.method == 'POST':
        filename = request.form.get('filename')
        content = request.form.get('content').encode('utf-8')

        if filename.find('..') != -1:
            return render_template('upload_result.html', data='bad characters,,')

        with open(f'{UPLOAD_DIR}/{filename}', 'wb') as f:
            f.write(content)

        return redirect('/')

    return render_template('upload.html')


@APP.route('/read')
def read_memo():
    error = False
    data = b''

    filename = request.args.get('name', '')

    try:
        with open(f'{UPLOAD_DIR}/{filename}', 'rb') as f:
            data = f.read()
    except (IsADirectoryError, FileNotFoundError):
        error = True


    return render_template('read.html',
                           filename=filename,
                           content=data.decode('utf-8'),
                           error=error)


if __name__ == '__main__':
    if os.path.exists(UPLOAD_DIR):
        shutil.rmtree(UPLOAD_DIR)

    os.mkdir(UPLOAD_DIR)

    APP.run(host='0.0.0.0', port=8000)

 

ํ’€์ด

์ฃผ์–ด์ง„ ์ฝ”๋“œ๋ฅผ ๋ณด์ง€ ์•Š๊ณ ๋„ ํ•ด๊ฒฐ์ด ๊ฐ€๋Šฅํ–ˆ๋‹ค...

ํ™ˆํŽ˜์ด์ง€ ๊ตฌ์„ฑ๋งŒ ์‚ด์ง ๋ด๋„ ๋‹จ์„œ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค

 

ํŒŒ์ผ ์ œ๋ชฉ๊ณผ ์ปจํ…์ธ ๋ฅผ ์ž…๋ ฅํ•ด์„œ ์—…๋กœ๋“œํ•˜๋ฉด

 

ํ™ˆํ™”๋ฉด์— ๋‚ด๊ฐ€ ์—…๋กœ๋“œํ•œ ํŒŒ์ผ์ด ๋‚˜ํƒ€๋‚˜๋Š” ํ˜•์‹

 

๊ฐ ํŒŒ์ผ์„ ํด๋ฆญํ•˜๋ฉด

์ด๋ ‡๊ฒŒ ๋‚ด์šฉ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ๋‹ค

 

๊ทผ๋ฐ URL์„ ์ž˜ ์‚ดํŽด๋ณด๋‹ˆ ๊ต‰์žฅํžˆ ๋‹จ์ˆœํ•˜๋‹ค

 

read?name="ํŒŒ์ผ์ด๋ฆ„" ์„ ์ž…๋ ฅํ•˜๋ฉด ํ•ด๋‹นํ•˜๋Š” ํŒŒ์ผ์„ ์ฝ์„ ์ˆ˜ ์žˆ๊ฒ ๋‹ค.

 

๊ทธ๋ ‡๋‹ค๋ฉด ๋ฌธ์ œ์—์„œ ์ฝ์œผ๋ผํ•œ flag.py๋ฅผ ์ฝ์–ด๋ณด์ž

http://host3.dreamhack.games:16310/read?name=flag.py

 

์—ญ์‹œ uploads/ ํด๋”์—๋Š” ์กด์žฌํ•˜์ง€ ์•Š๋Š” ๋“ฏ ํ•˜๋‹ค

 

๋ฐ”๋กœ ์ƒ์œ„๊ณ„์ธต ํด๋”์—์„œ ์ฐพ์•„๋ณด์ž

http://host3.dreamhack.games:16310/read?name=../flag.py

์„ฑ๊ณต!

๋ฐ˜์‘ํ˜•

'๐Ÿ”’ Cyber Security > Web Hacking (์›นํ•ดํ‚น)' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : Carve Party  (0) 2023.07.27
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: web-ssrf  (0) 2023.07.17
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: command-injection-1  (0) 2023.07.05
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: csrf-2  (0) 2022.11.09
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: csrf-1  (0) 2022.11.08

'๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : file-download-1

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”