Skip to content

Latest commit

 

History

History
48 lines (26 loc) · 1.93 KB

README.md

File metadata and controls

48 lines (26 loc) · 1.93 KB

Jinja2-ExploitMe

[BEW 2.3: Web Security] Clone this repo to begin the SSTI exploit activity.

My Findings

  • Really nice layout, thanks Dani

Multiply 2 integers

  • Using just the required param ?exploit= doesn't change anything

    • Adding 'you've been hacked' to the end allows it to be printed to the on screen console

      Things to note from this:

      • In the url spaces are changed to %20 and 's (single quotes) to %27,
      • and 's are added to output
  • Using {{ }} (an empty expression call) as the option for the param, just clears the output console. Also, if we pass in {{hello}}, we get an empty output

  • Whereas, if we pass in {{2}}, we get 2 as the output, from this I think we can do multiplication expression.

  • By doing {{2*2}} and we get 4 as the output,

    Similarly we can do {{3*8}} and get 24 as the output.

-- This completes the first task of multiplying 2 integers.


Multiply an int & a str

First searching if its possible to multiply a strign by an int, I found this site & this site, which states that you can do

2 * 'string' and get stringstring as an output. So it is possible.

  • Seeing that {{2*2}} worked, we will try {{2*'hello'}},

    However, as the output we get: Not a valid Jinja2 expression.

  • Sense that didn't work we will try without 's (single quotes) around hello as {{2*hello}}, for this output we get an error page,

    jinja2.exceptions.UndefinedError: 'hello' is undefined

    This means that the server is expecting hello to be a variable and can't find to defined anywhere in the code/browser..

    • Setting hello as a variable in either the render_template call or the code above it doesn't seem to affect or benifit this exploit as the server still believes it to be impossible.