0xswitch/ssti_pattern_finder.py

## ssti_pattern_finder.py
class Search:

    def __init__(self, obj, pattern, depth):
        self.max_depth = depth
        self.pattern = pattern
        self.visited_clss = []
        self.visited_objs = []

        self.search(obj)

    def search(self, obj, path="obj", depth=0):
        if self.pattern in repr(obj):
            print(path)
        if self.pattern in path:
            print(path)

        if depth == self.max_depth:
            return
        # unwanted type
        elif isinstance(obj, (int, float, bool, str, bytes)):
            return
        # class
        elif isinstance(obj, type):
            if obj in self.visited_clss:
                return
            self.visited_clss.append(obj)
        # object
        else:
            if id(obj) in self.visited_objs:
                return
            self.visited_objs.append(id(obj))

        # attributes
        for name in dir(obj):
            if name.startswith('__') and name.endswith('__'):
                if name not in  ('__globals__', '__class__', '__self__', '__weakref__', '__objclass__', '__module__', '__func__'):
                    continue
            try:
                attr = getattr(obj, name)
            except AttributeError:
                pass
            else:
                self.search(attr, '{}.{}'.format(path, name), depth + 1)

        # dict values
        if hasattr(obj, 'items') and callable(obj.items):

            try:
                for k, v in obj.items():
                    self.search(v, '{}[{}]'.format(path, repr(k)), depth)
            except (TypeError) as e :
                pass
            except RuntimeError as e:
                pass

        elif isinstance(obj, (set, list, tuple, frozenset)):
            for i, v in enumerate(obj):
                self.search(v, '{}[{}]'.format(path, repr(i)), depth)

# original work from https://ctftime.org/writeup/10851

# can be called like :
#
# @app.route("/")
# def hello_agent():
#     ua = request.user_agent
#
#     for i in range(0, 10):
#         Search(ua, "module 'sys'", i) <----
#         Search(ua, "_machine_id'", i) <----
#     return render_template("index.html", msg=f"Hello {ua}")
	class Search:

	def __init__(self, obj, pattern, depth):
	self.max_depth = depth
	self.pattern = pattern
	self.visited_clss = []
	self.visited_objs = []

	self.search(obj)

	def search(self, obj, path="obj", depth=0):
	if self.pattern in repr(obj):
	print(path)
	if self.pattern in path:
	print(path)

	if depth == self.max_depth:
	return
	# unwanted type
	elif isinstance(obj, (int, float, bool, str, bytes)):
	return
	# class
	elif isinstance(obj, type):
	if obj in self.visited_clss:
	return
	self.visited_clss.append(obj)
	# object
	else:
	if id(obj) in self.visited_objs:
	return
	self.visited_objs.append(id(obj))

	# attributes
	for name in dir(obj):
	if name.startswith('__') and name.endswith('__'):
	if name not in ('__globals__', '__class__', '__self__', '__weakref__', '__objclass__', '__module__', '__func__'):
	continue
	try:
	attr = getattr(obj, name)
	except AttributeError:
	pass
	else:
	self.search(attr, '{}.{}'.format(path, name), depth + 1)

	# dict values
	if hasattr(obj, 'items') and callable(obj.items):

	try:
	for k, v in obj.items():
	self.search(v, '{}[{}]'.format(path, repr(k)), depth)
	except (TypeError) as e :
	pass
	except RuntimeError as e:
	pass

	elif isinstance(obj, (set, list, tuple, frozenset)):
	for i, v in enumerate(obj):
	self.search(v, '{}[{}]'.format(path, repr(i)), depth)

	# original work from https://ctftime.org/writeup/10851

	# can be called like :
	#
	# @app.route("/")
	# def hello_agent():
	# ua = request.user_agent
	#
	# for i in range(0, 10):
	# Search(ua, "module 'sys'", i) <----
	# Search(ua, "_machine_id'", i) <----
	# return render_template("index.html", msg=f"Hello {ua}")