CIDY
[Web_Hacking] stage8_문제풀이(file-download-1) 본문
#!/usr/bin/env python3
import os
import shutil
from flask import Flask, request, render_template, redirect
from flag import FLAG
APP = Flask(__name__)
UPLOAD_DIR = 'uploads'
@APP.route('/')
def index():
files = os.listdir(UPLOAD_DIR)
return render_template('index.html', files=files)
@APP.route('/upload', methods=['GET', 'POST'])
def upload_memo():
if request.method == 'POST':
filename = request.form.get('filename')
content = request.form.get('content').encode('utf-8')
if filename.find('..') != -1:
return render_template('upload_result.html', data='bad characters,,')
with open(f'{UPLOAD_DIR}/{filename}', 'wb') as f:
f.write(content)
return redirect('/')
return render_template('upload.html')
@APP.route('/read')
def read_memo():
error = False
data = b''
filename = request.args.get('name', '')
try:
with open(f'{UPLOAD_DIR}/{filename}', 'rb') as f:
data = f.read()
except (IsADirectoryError, FileNotFoundError):
error = True
return render_template('read.html',
filename=filename,
content=data.decode('utf-8'),
error=error)
if __name__ == '__main__':
if os.path.exists(UPLOAD_DIR):
shutil.rmtree(UPLOAD_DIR)
os.mkdir(UPLOAD_DIR)
APP.run(host='0.0.0.0', port=8000)일단 app코드는 이러하다.
uploads디렉토리에 filename으로 저장되고, read도 해당 디렉토리에서 읽어온다.
이렇게 하면 될 줄 알았다.. 그럼 어떡하지
아 한 디렉토리 위에 있구나
'Hack > DreamHack(로드맵)' 카테고리의 다른 글
| [Web_Hacking] stage9_문제풀이(web-ssrf) (0) | 2022.07.30 |
|---|---|
| [Web_Hacking] stage9_SSRF (0) | 2022.07.30 |
| [Web_Hacking] stage8_문제풀이(image-storage) (0) | 2022.07.30 |
| [Web_Hacking] stage8_File Vulnerability (0) | 2022.07.30 |
| [Web_Hacking] stage7_문제풀이(command-injection-1) (0) | 2022.07.30 |
'Hack/DreamHack(로드맵)' Related Articles
more
