程序師世界是廣大編程愛好者互助、分享、學習的平台,程序師世界有你更精彩!
首頁
編程語言
C語言|JAVA編程
Python編程
網頁編程
ASP編程|PHP編程
JSP編程
數據庫知識
MYSQL數據庫|SqlServer數據庫
Oracle數據庫|DB2數據庫
您现在的位置: 程式師世界 >> 編程語言 >  >> 更多編程語言 >> Python

Attack and defense world CTF Web_ python_ template_ injection

編輯:Python

Record the module into the learning process

subject :Web_python_template_injection Reminder is module injection

  • stay Jinja2 In the template engine ,{ {}} Is the variable package identifier .{ {}} It's not just passing variables , You can also execute some simple expressions .

Module injection test :
URL input “{ {1*21}}” Page shows 21, Face to face existence “SSTI”
Relevant knowledge collected in other big guys' blogs :

  • SSTI Also get an input , Then, the statements are spliced on the back-end rendering processing , And then execute . Of course, it's still with sql Inject something different ,SSTI Using the current website template engine ( As we'll see ), Mainly aimed at python、php、java Some website processing frameworks , such as Python Of jinja2
    mako tornado django,php Of smarty twig,java Of jade
    velocity. When these frameworks use rendering functions to generate html When it comes to SSTI The problem of .

  • os Modules are from warnings.catch_warnings Module based , Find... In all modules catch_warnings The location of , For the first time 59 individual
    see catch_warnings What global functions exist in modules , Can find linecache function ,os The module is in it

  • instance.class You can get the class object of the current instance

  • class.mro Get all inherited classes of the current class object

  • Every new class retains references to all its subclasses ,subclasses() This method returns references to all surviving subclasses of the class ( Note that class object references , Not the instance )

    View all modules according to knowledge points

  • Because we want to read flag The information in the file , So choose os.popen

    First we have to find os Location of modules , He is located in <class ‘site._Printer’> Inside , Results found in 71

    adopt __subclasses__()[71].__init__.__globals__['os'].popen(' Command line statements ').read()

    To call the server's console and display .

    paloay structure :
    { {’’.class.mro[2].subclasses()[71].init.globals[‘os’].popen(‘ls’).read()}}


The return result shows flag stay fl4g Inside , see fl4g

{ {’’.class.mro[2].subclasses()[71]

.init.globals[‘os’].popen(‘cat fl4g’).read()}}


  1. 上一篇文章:
  2. 下一篇文章:
Copyright © 程式師世界 All Rights Reserved