from bottle import route, run, template, post, request, static_file, error import os import zipfile import hashlib import time import shutil # hint: flag is in /flag UPLOAD_DIR = 'uploads' os.makedirs(UPLOAD_DIR, exist_ok=True) MAX_FILE_SIZE = 1 * 1024 * 1024 # 1MB BLACKLIST = ["b","c","d","e","h","i","j","k","m","n","o","p","q","r","s","t","u","v","w","x","y","z","%",";",",","<",">",":","?"] def contains_blacklist(content): """检查内容是否包含黑名单中的关键词(不区分大小写)""" content = content.lower() return any(black_word in content for black_word in BLACKLIST) def safe_extract_zip(zip_path, extract_dir): """安全解压ZIP文件(防止路径遍历攻击)""" with zipfile.ZipFile(zip_path, 'r') as zf: for member in zf.infolist(): member_path = os.path.realpath(os.path.join(extract_dir, member.filename)) if not member_path.startswith(os.path.realpath(extract_dir)): raise ValueError("非法文件路径: 路径遍历攻击检测") zf.extract(member, extract_dir) @route('/') def index(): """首页""" return ''' ZIP文件查看器

📦 ZIP文件查看器

安全地上传和查看ZIP文件内容

📤

轻松查看ZIP文件内容

上传ZIP文件并安全地查看其中的内容,无需解压到本地设备

📁 上传ZIP文件 ℹ️ 了解更多
🛡️

安全检测

系统会自动检测上传文件,防止路径遍历攻击和恶意内容

📄

内容预览

直接在线查看ZIP文件中的文本内容,无需下载

快速处理

高效处理小于1MB的ZIP文件,快速获取内容

''' @route('/upload') def upload_page(): """上传页面""" return ''' 上传ZIP文件

📦 ZIP文件查看器

安全地上传和查看ZIP文件内容

📤 上传ZIP文件

仅支持.zip格式的文件,且文件大小不超过1MB
↩️ 返回首页
''' @post('/upload') def upload(): """处理文件上传""" zip_file = request.files.get('file') if not zip_file or not zip_file.filename.endswith('.zip'): return '请上传有效的ZIP文件' zip_file.file.seek(0, 2) file_size = zip_file.file.tell() zip_file.file.seek(0) if file_size > MAX_FILE_SIZE: return f'文件大小超过限制({MAX_FILE_SIZE/1024/1024}MB)' timestamp = str(time.time()) unique_str = zip_file.filename + timestamp dir_hash = hashlib.md5(unique_str.encode()).hexdigest() extract_dir = os.path.join(UPLOAD_DIR, dir_hash) os.makedirs(extract_dir, exist_ok=True) zip_path = os.path.join(extract_dir, 'uploaded.zip') zip_file.save(zip_path) try: safe_extract_zip(zip_path, extract_dir) except (zipfile.BadZipFile, ValueError) as e: shutil.rmtree(extract_dir) return f'处理ZIP文件时出错: {str(e)}' files = [f for f in os.listdir(extract_dir) if f != 'uploaded.zip'] return template(''' 上传成功

📦 ZIP文件查看器

安全地上传和查看ZIP文件内容

✅ 上传成功!

文件列表:
    % for file in files:
  • 📄 {{file}} 查看
    • % end
% if files:
👀 查看第一个文件
% end
➕ 上传另一个文件 🏠 返回首页
''', dir_hash=dir_hash, files=files) @route('/view//') def view_file(dir_hash, filename): file_path = os.path.join(UPLOAD_DIR, dir_hash, filename) if not os.path.exists(file_path): return "文件不存在" if not os.path.isfile(file_path): return "请求的路径不是文件" real_path = os.path.realpath(file_path) if not real_path.startswith(os.path.realpath(UPLOAD_DIR)): return "非法访问尝试" try: with open(file_path, 'r', encoding='utf-8') as f: content = f.read() except: try: with open(file_path, 'r', encoding='latin-1') as f: content = f.read() except: return "无法读取文件内容(可能是二进制文件)" if contains_blacklist(content): return "文件内容包含不允许的关键词" try: return template(content) except Exception as e: return f"渲染错误: {str(e)}" @route('/static/') def serve_static(filename): """静态文件服务""" return static_file(filename, root='static') @error(404) def error404(error): return "讨厌啦不是说好只看看不摸的吗" @error(500) def error500(error): return "不要透进来啊啊啊啊" if __name__ == '__main__': os.makedirs('static', exist_ok=True) #原神,启动! run(host='0.0.0.0', port=5000, debug=False)