文章目录
- CTF题型 SSTI(1) Flask-SSTI-labs 通关 题记
-
- 前记
- Level 1 no waf
- Level 2 bl[‘{ {’]
- Level 3 no waf and blind
- Level 4 bl[‘[’, ‘]’]
- Level 5 bl[‘’', ‘"’]
- Level 6 bl[‘_’]
- Level 7 bl[‘.’]
- Level 8 bl[“class”, “arg”, “form”, “value”, “data”, “request”, “init”, “global”, “open”, “mro”, “base”, “attr”]
- Level 9 bl[‘0-9’]
- Level 10 set config = None
- Level 11 bl[‘’', ‘"’, ‘+’, ‘request’, ‘.’, ‘[’, ‘]’]
- Level 12 bl[‘_’, ‘.’, ‘0-9’, ‘\’, ‘’', ‘"’, ‘[’, ‘]’]
- Level 13 bl[‘_’, ‘.’, ‘\’, ‘’', ‘"’, ‘request’, ‘+’, ‘class’, ‘init’, ‘arg’, ‘config’, ‘app’, ‘self’, ‘[’, ‘]’]
- 前记
- 总结
前记
搭建环境
建议用nssctf在线 https://www.nssctf.cn/problem/13 直接用
以下题目我用简洁的payload 绕过{
{lipsum.__globals__['os'].popen('ls').read()}}