Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. SSTI

Indentification

Now we have detected what characters caused the application to error {{ It's time to identify what template engine is being used !

Sometimes the error message will include the template engine and maybe it's version which is very rare or else we can check the decision tree to know what kinda template engine is used !

http://10.10.39.6:5000/profile/{{7*'7'}} - gives us 7777777

Which means the template engine in that backend is Jinja2

Jinja2 Syntax

Always look for the following, no matter what language or template engine is used ?

  • How to start and end a print statement

  • How to start and end a block statement

In the case of Jinja2 Template !

  • {{ - Used to mark the start of a print statement

  • }} - Used to mark the end of a print statement

  • {% - Used to mark the start of a block statement

  • %} - Used to mark the end of a block statement

In Jinja2 the comments is denoted by {#

PreviousFinding the Injection PointNextExploitation

Last updated 2 years ago