[BEW 2.3: Web Security] Clone this repo to begin the SSTI exploit activity.
- Really nice layout, thanks Dani
Multiply 2 integers
-
Using just the required param
?exploit=doesn't change anything-
Adding 'you've been hacked' to the end allows it to be printed to the on screen console
Things to note from this:
- In the url
spacesare changed to%20and's (single quotes) to%27, - and
's are added to output
- In the url
-
-
Using
{{ }}(an empty expression call) as the option for the param, just clears the output console. Also, if we pass in{{hello}}, we get an empty output -
Whereas, if we pass in
{{2}}, we get2as the output, from this I think we can do multiplication expression. -
By doing
{{2*2}}and we get4as the output,Similarly we can do
{{3*8}}and get24as the output.
-- This completes the first task of multiplying 2 integers.
Multiply an int & a str
First searching if its possible to multiply a strign by an int, I found this site & this site, which states that you can do
2 * 'string' and get stringstring as an output. So it is possible.
-
Seeing that
{{2*2}}worked, we will try{{2*'hello'}},However, as the output we get:
Not a valid Jinja2 expression. -
Sense that didn't work we will try without
's (single quotes) around hello as{{2*hello}}, for this output we get an error page,jinja2.exceptions.UndefinedError: 'hello' is undefinedThis means that the server is expecting hello to be a variable and can't find to defined anywhere in the code/browser..
- Setting
helloas a variable in either the render_template call or the code above it doesn't seem to affect or benifit this exploit as the server still believes it to be impossible.
- Setting