44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
id: xpl-ssti-jinja2
|
|
info:
|
|
name: "Server-Side Template Injection (Jinja2/Flask)"
|
|
author: imtaqin
|
|
severity: critical
|
|
description: |
|
|
Detects Jinja2 SSTI by injecting a math expression with an unusual
|
|
product (999 * 777 = 776223) that's unlikely to appear naturally.
|
|
Confirms only when the exact computed value is reflected AND the
|
|
raw payload with {{ }} is NOT echoed back verbatim.
|
|
tags:
|
|
- ssti
|
|
- rce
|
|
- python
|
|
- jinja2
|
|
|
|
http:
|
|
# Payload is literal `xplZZZ{{999*777}}ssti` — the engine's expand() leaves
|
|
# {{999*777}} alone since it's not a known variable name. If the target has
|
|
# Jinja2 SSTI on that parameter, the server renders it to `xplZZZ776223ssti`.
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/?name=xplZZZ{{999*777}}ssti"
|
|
- "{{BaseURL}}/?q=xplZZZ{{999*777}}ssti"
|
|
- "{{BaseURL}}/search?q=xplZZZ{{999*777}}ssti"
|
|
- "{{BaseURL}}/hello/xplZZZ{{999*777}}ssti"
|
|
stop_at_first_match: true
|
|
matchers-condition: and
|
|
matchers:
|
|
# must be 2xx (not 400/404 - those show errors which may contain our payload)
|
|
- type: status
|
|
status: [200, 201, 204]
|
|
# computed value must appear — very specific string
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "xplZZZ776223ssti"
|
|
# raw payload must NOT be echoed verbatim (server evaluated it)
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "xplZZZ{{999*777}}ssti"
|
|
negative: true
|