Lab 135 — PageCraft — SSTI in CMS Page Editor

hackadvisor

Task: Flask CMS with page editor supporting template variables. Solution: Discovered SSTI in page content via differential analysis (pages render templates, posts don't), exploited via lipsum.__globals__ to achieve RCE and read /root/flag.txt.

flask rce ssti python jinja2 cms template_injection

ssti_exploitationjinja2_rce_via_globalsdifferential_content_rendering_analysis

$ ls tags/ techniques/

flask rce ssti python jinja2 cms template_injection

ssti_exploitationjinja2_rce_via_globalsdifferential_content_rendering_analysis

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]PageCraft — SSTI via Twig Template Engine in Post Content— hackadvisor
[web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
[web][Pro]Lab 389 — PulseBoard — SSTI in Custom Widget Template Builder— hackadvisor
[web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor
[web][Pro]Lab 55 — LinguaPress — SSTI via Multilingual Widget Shortcodes— hackadvisor