0x00 知识点 SSTI模板注入: 模板注入涉及的是服务端Web应用使用模板引擎渲染用户请求的过程 服务端把用户输入的内容渲染成模板就可能造成SSTI(Server-Side Template Injection) 0x01模板引擎 模板引擎(这里特指用于Web开发的模板引擎)是为了使用户界面与业务数据(内容)分离而产生的,它可以生成特定格式的文档,用于网站的模板引擎就会生成一个标准的HTML文档.一些模板引擎:Smarty,Mako,Jinja2,Jade,Velocity,Freemake…

记一道存在过滤的模板注入的题.直接给源代码 import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/<path:shrine>') def shrine(shrine): def safe_jinja(s):…

一 [WesternCTF2018]shrine 没什么好说的,SSTI模版注入类问题,过滤了()但是我们不慌.开始注入,{{29*3}}测试通过. 发现是jinjia2的模版注入.关键点在于没有(),并且还要获取config文件,就可以获取到flag. 总结几种常用的读取config语句 1.{{config}} 2.{{self.__dict__}} 如果config和self和()都不能使用,就必须找到config的上层current_app 1.url_for.__globals__['…

目录 刷题记录:Shrine 刷题记录:Shrine 题目复现链接:https://buuoj.cn/challenges 参考链接:Shrine 解此题总结一下flask的SSTI:CTF SSTI(服务器模板注入)…

0x01 import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/') def shrine(shrine): def safe_jinja(s): s = s.replace('(', '').replace…

信息: 题目来源:TokyoWesterns CTF 标签:flask.SSTI 解题过程 构建题目环境后,访问主页可以获得程序源码: import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/') def sh…

攻防世界 WEB 高手进阶区 TokyoWesterns CTF shrine Writeup 题目介绍 题目考点 模板注入 Writeup 进入题目 import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/<…

shrine import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/<path:shrine>') def shrine(shrine): def safe_jinja(s): s = s.replace(…

http://blog.csdn.net/ldghd/article/details/9632455 *****************************      一      ************************** AssetBundle incompatibility 1   I just started receiving the following error: The asset bundle 'http://***.unity3d' couldn't be lo…

http://www.manew.com/thread-43970-1-1.html 今天为大家分享unity与Alex Lovett共同使用unity5制作的Shrine Arch-viz Demo,其中充分利用了Unity5的实时全局光照功能.实在是太过惊艳,随便一帧都可以直接拿来当做屏保~~~ 先奉上视频: http://static.video.qq.com/TPout.swf?vid=t017102l7by&auto=0   上面的Demo使用Unity5.2制作,没有导入任何第三方资…

本文分两部分,第一部分是手动计划任务的方式构建Github上的Docker程序,第二部分是用Github webhook Trigger一个自动构建任务. Jenkins采用2.5版本Docker采用1.7.1代码托管使用的Github官网系统为IBM Bluemix提供的Cent6.7,服务器地址在美国南加州 1.1 创建一个Freestyle Project, let's say jenkins-docker 1.2 Set workplace to /var/lib/jenkins/job…

前言: 最近在自学flutter跨平台开发,从学习的过程来看真心感觉不是那么一件特别容易的事.不但要了解语法规则, 还要知晓常用控件,和一些扩展性的外延知识,所以套一句古人的话“路漫漫其修远矣,无将上下而求索”. 关于Material Design 以下是摘录的一篇非常好的关于“Material Design”的文章,传送门 1.安卓是什么? 想象一下,过年同学聚会上,大家把手机都放在饭桌前,除了各种型号的 iPhone 之外,你还能看到什么品牌的手机呢?我猜一定会有 OPPO.VIVO.魅族.…

Contest2073 - 湖南多校对抗赛(2015.04.06) Problem A: (More) Multiplication Time Limit: 1 Sec  Memory Limit: 128 MBSubmit: 85  Solved: 47[Submit][Status][Web Board] Description Educators are always coming up with new ways to teach math to students. In 2011, a…

const MAP = [        "\xc2\xa9" => 'COPYRIGHT SIGN',        "\xc2\xae" => 'REGISTERED SIGN',        "\xe2\x80\xbc" => 'DOUBLE EXCLAMATION MARK',        "\xe2\x81\x89" => 'EXCLAMATION QUESTION MARK',     …

She left her shoes, she took everything else, her toothbrush, her clothes, and even that stupid little silver vase on the table we kept candy in. Just dumped it out on the table and took the vase. The tiny apartment we shared seemed different now, he…

题目链接:https://nanti.jisuanke.com/t/31453 After Incident, a feast is usually held in Hakurei Shrine. This time Reimu asked Kokoro to deliver a Nogaku show during the feast. To enjoy the show, every audience has to wear a Nogaku mask, and seat around as…

Java Magic. Part 2: 0xCAFEBABE @(Base)[JDK, magic, 黑魔法] 转载请写明:原文地址 英文原文 系列文章: -Java Magic. Part 1: java.net.URL -Java Magic. Part 2: 0xCAFEBABE -Java Magic. Part 3: Finally -Java Magic. Part 4: sun.misc.Unsafe 你知道所有的java class文件都有一个相同的4字节串吗.这个4字节串的16…

After Incident, a feast is usually held in Hakurei Shrine. This time Reimu asked Kokoro to deliver a Nogaku show during the feast. To enjoy the show, every audience has to wear a Nogaku mask, and seat around as a circle. There are N guests Reimu serv…

1.用优惠码 买个 X ? (1)第一步: 这道题第一步主要知道利用php的随机种子数泄露以后就可以利用该种子数来预测序列,而在题目中会返回15位的优惠码,但是必须要24位的优惠码,因此要根据15位的求出种子以后扩展到24位,这里的优惠码因为是字符串形式的,所以需要整理成数字形式,也就是整理成方便 php_mt_seed 测试的格式. <?php //生成优惠码 $_SESSION['seed']=rand(0,999999999); function youhuima(){ mt_srand(…

今天学习了python的模板注入,这里自己搭建环境测试以下,参考文章:http://www.freebuf.com/articles/web/136118.html web 程序包括两个文件: flask-test.py 和 Config.py 文件 #!/usr/bin/env python # -*- coding:utf8 -*- import hashlib import logging from datetime import timedelta from flask import F…

任意门:https://nanti.jisuanke.com/t/31453 A.Hard to prepare After Incident, a feast is usually held in Hakurei Shrine. This time Reimu asked Kokoro to deliver a Nogaku show during the feast. To enjoy the show, every audience has to wear a Nogaku mask, a…

Weekend Party Time Limit: 2 Seconds      Memory Limit: 65536 KB As the only Oni (a kind of fabulous creature with incredible strength and power) living on the surface of Gensokyo, Ibuki Suika has an interest in gatheringHumans and Youkai in Gensokyo …

Hard to prepare 28.63% 1000ms 262144K   After Incident, a feast is usually held in Hakurei Shrine. This time Reimu asked Kokoro to deliver a Nogaku show during the feast. To enjoy the show, every audience has to wear a Nogaku mask, and seat around as…

目录 A. Hard to prepare B.BE, GE or NE F.Features Track G.Trace H.Ryuji doesn't want to study I.Characters with Hash J. Maze Designer A. Hard to prepare After Incident, a feast is usually held in Hakurei Shrine. This time Reimu asked Kokoro to deliver…

ambient a.周围的,包围着的 ambiguous a.模棱两可的:分歧的 ambitious a.有雄心的:热望的 ample a.足够的:宽敞的 amplitude n.广大:充足:振幅 amusement n.娱乐,消遣,乐趣 analogue n.类似物:同源语 analogy n.相似,类似:比拟 analytic(al) a.分析的:分解的 anniversary n.周年纪念日 announce vt.报告…的来到 annually ad.年年,每年 anode n.阳极,正…

2012年大学英语六级词汇 baseball n.棒球:棒球运动 basement n.地下室:地窖:底层 basin n.内海:盆地,流域 battery n.炮兵连:兵器群 battle vi.战斗 vt.与…作战 bazaar n.集市,廉价商店 agitation n.鼓动,煸动:搅动 agreeable a.惬意的:同意的 alas int.唉,哎呀 album n.粘贴簿:相册:文选 alert a.警惕的:活跃的 algebra n.代数学 alien a.外国的 n.外国人 al…

思路: 准备配置文件setting.py,运行src/data.py,使用MySQL新建数据库并创建table,将字典数据导入到table中.编写server.py文件,建立服务端,循环接收web请求,使用多线程实现并发,解析请求(request),并返回响应(response).未完善,只实现了基本的客户端发起请求——>服务端解析请求——>数据库信息获取——>服务端返回响应——>客户端显示结果. 代码结构: . ├── log ├── server.py ├── src │  …

Python实现电子词典(图形界面) 终端电子词典:https://www.cnblogs.com/noonjuan/p/11341375.html 文件一览: .├── client.py├── data.py├── dic.csv├── func.py├── pics│   ├── pic_login.jpg│   ├── pic_main.jpg│   └── pic_signup.jpg├── readme.txt├── server.py└── settings.py pics文件图片…

代码一览: dictionary/├── code│   ├── client.py│   ├── func.py│   ├── server.py│   └── settings.py├── data│   ├── data.py│   ├── in.txt│   ├── out.txt│   └── processor.py└── readme.txt 详细代码: 电子词典 功能说明: 第一界面:登录.注册.退出 第二界面:查词.查看历史记录(显示最近10条或全部).注销 技术说明: 网络通…

whereas conj.而,却,反之 witty a.机智的:风趣的 legislation n.立法:法规 length n.程度,范围 lengthen vt.使延长 vi.变长 leopard n.豹 woe n.悲哀,悲痛,苦恼 woodpecker n.啄木鸟 wrestle n.摔交:斗争,搏斗 wretched a.不幸的:卑鄙的 wring vt.拧,挤,扭,榨 wrinkle n.皱纹 vt.使起皱纹 xerox vt.&vi.用静电复印 yacht n.游艇,快艇 year…