0

在 Python 中如何遍历目录以获取 root 权限?我使用 编写了一些代码BeautifulSoup,但它显示“找不到模块”。所以我有这个:

#
# There is a directory traversal vulnerability in the
# following page http://127.0.0.1:8082/humantechconfig?file=human.conf
# Write a script which will attempt various levels of directory
# traversal to find the right amount that will give access
# to the root directory. Inside will be a human.conf with the flag.
#
# Note: The script can timeout if this occurs try narrowing
# down your search


import urllib.request
import os

req = urllib.request.urlopen("http://127.0.0.1:8082/humantechconfig?file=human.conf")
dirName = "/tmp"
def getListOfFiles(dirName):

    listOfFile = os.listdir(dirName)
    allFiles = list()

    for entry in listOfFile:
        # Create full path
        fullPath = os.path.join(dirName, entry)

        if os.path.isdir(fullPath):
            allFiles = allFiles + getListOfFiles(fullPath)
        else:
            allFiles.append(fullPath)

    return allFiles
listOfFiles = getListOfFiles(dirName)
print(listOfFiles)

for file in listOfFiles:
 if file.endswith(".conf"):
 f = open(file, "r")
 print(f.read())

这输出:

/tmp/level-0/level-1/level-2/human.conf

User : Human 66

Flag: Not-Set (Must be Root Human)

然而。如果我将 URL 更改为“ http://127.0.0.1:8082/humantechconfig?file=../../../human.conf ”,它会给我输出:

User : Human 66

Flag: Not-Set (Must be Root Human)




User : Root Human

Flag: Well done the flag is: {}

它所在的目录遍历级别波动很大,从/tmp/level-2/tmp/level-15; 如果是我写的那个,那么它说我是'Root Human'。但它不会给我旗帜,尽管我突然成为“根人类”。我遍历目录的方式有问题吗?

req = urllib.request.urlopen("http://127.0.0.1:8082/humantechconfig?file=human.conf")如果我拿走这条线似乎一点也不重要。我如何才能将代码实际发送到该 URL?谢谢!

4

1 回答 1

1

网络发现月球基地挑战?对于这个,您需要在(例如' http://127.0.0.1:8082/humantechconfig?file=../human.conf'../' ')前面不断添加,这将成为您的 URL。您需要请求的此 URL 。挑战的主要部分是使用简单的循环来附加多次,这不会很困难。您不需要使用操作系统。确保在找到标志后中断循环(否则它将进入无限循环并给您错误)。human.conf(using urllib.request.urlopen(URL))../

于 2020-05-28T10:46:29.520 回答