返回
1
0

DNS想要玩 WP - lang

lang,2026-07-09 09:10

from flask import Flask, request from urllib.parse import urlparse import socket import os app = Flask(name) BlackList=[ 'localhost', '@', '172', 'gopher', 'file', 'dict', 'tcp', '0.0.0.0', '114.5.1.4' ] def check(url): url = urlparse(url) host = url.hostname host_acscii = host.encode('idna').decode('utf-8') return socket.gethostbyname(host_acscii) == '114.5.1.4' @app.route('/') def index(): return open(file).read() @app.route('/ssrf') def ssrf(): raw_url = request.args.get('url') if not raw_url: return 'URL Needed' for u in BlackList: if u in raw_url: return 'Invaild URL' if check(raw_url): return os.popen(request.args.get('cmd')).read() else: return "NONONO" if name == 'main': app.run(host='0.0.0.0',port=8000)

分析通过/ssrf路径访问获取flag

第一包含url,否则返回URL Needed

第二输入的url在BlackList=[ 'localhost', '@', '172', 'gopher', 'file', 'dict', 'tcp', '0.0.0.0', '114.5.1.4' ]返回Invaild URL

第三输入的url要是114.5.1.4,刚好在Blacklist里面,利用gethostbyname 能够解析十进制数为IP特性,通过设置url为http://1912930564成功访问。

0
0

评论

0
0条回复