Catalog

5、 ... and 、shrine

How to solve the problem ：

The process ：

6、 ... and 、lottery

How to solve the problem ：

The process ：

5、 ... and 、shrine

 

How to solve the problem ：

1、php Source code understanding ,SSTI（ Server side ） Template Injection

The process ：

Ctrl+U

View source code

  Used 2 A module flask and os modular , See whether the module can be injected

app.route Passed two paths

Filter () and 'config','self' Was blacklisted

---

  visit shrine route

/shrine/{ {1+3}}

Carried out transportation , There is SSTI（ Server side ） Template Injection

 

---

And because of filtering () and 'config','self' Was blacklisted

1、payload：

/shrine/{ {url_for.__globals__['current_app'].config}}

---

2、payload：

/shrine/{ {get_flashed_messages.__globals__['current_app'].config['FLAG']}}

 

6、 ... and 、lottery

 

How to solve the problem ：

1、 Logical loopholes , Weak equality

The process ：

Swim once

Then register

 

 

 

See here flag

---

  Click on buy after

Grab the bag

appear api.php Of post The ginseng

 api.php Become the focus

  see robots.txt Found out

Indicate that it cannot pass git Get the source code

Find the attachment to the title

It's the source code

 

---

Automatic audit

（ There are no loopholes ）

  Check the source code yourself

You can find

1、request yes json Format （json Support Boolean data ）

 

2、7 Comparison of digits , One by one

3、 And weak equality is used （TRUE,1,"1" They are all equal , It's just different types ）

 

---

structure payload

[true,true,true,true,true,true,true]

Change to

{"action":"buy","numbers":[true,true,true,true,true,true,true]}

Use bp Grab the bag

 

  Click again buy