Jinja2-ExploitMe

[BEW 2.3: Web Security] Clone this repo to begin the SSTI exploit activity.

My Findings

Multiply 2 integers

Using just the required param ?exploit= doesn't change anything
- Adding 'you've been hacked' to the end allows it to be printed to the on screen console
  
  Things to note from this:
  - In the url spaces are changed to %20 and 's (single quotes) to %27,
  - and 's are added to output
Using {{ }} (an empty expression call) as the option for the param, just clears the output console. Also, if we pass in {{hello}}, we get an empty output
Whereas, if we pass in {{2}}, we get 2 as the output, from this I think we can do multiplication expression.
By doing {{2*2}} and we get 4 as the output,

Similarly we can do {{3*8}} and get 24 as the output.

-- This completes the first task of multiplying 2 integers.

Multiply an int & a str

First searching if its possible to multiply a strign by an int, I found this site & this site, which states that you can do

2 * 'string' and get stringstring as an output. So it is possible.

Seeing that {{2*2}} worked, we will try {{2*'hello'}},

However, as the output we get: Not a valid Jinja2 expression.
Sense that didn't work we will try without 's (single quotes) around hello as {{2*hello}}, for this output we get an error page,

jinja2.exceptions.UndefinedError: 'hello' is undefined

This means that the server is expecting hello to be a variable and can't find to defined anywhere in the code/browser..
- Setting hello as a variable in either the render_template call or the code above it doesn't seem to affect or benifit this exploit as the server still believes it to be impossible.

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
static		static
templates		templates
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
app.py		app.py
hack.txt		hack.txt
requirements.txt		requirements.txt