Unfortunately no - at least not in any way I can get it to accept. It looks like there is a validation check first which is pretty aggressive on decoding stuff.
I think I’ve gone word blind. I don’t want to stop because it took me ages to get to this point and I don’t have a way to leap back here when I spin it up again
Have you tried using alternative parentheses? Like e.g. the UTF-8 full-width characters? Maybe the filter is somewhere in front and Jinja gracefully converts them back, for you.
Have you tried using alternative parentheses? Like e.g. the UTF-8 full-width characters? Maybe the filter is somewhere in front and Jinja gracefully converts them back, for you.
Have you tried using alternative parentheses? Like e.g. the UTF-8 full-width characters? Maybe the filter is somewhere in front and Jinja gracefully converts them back, for you.
os.system(‘id’)
aka. os.system%uff08'id'%uff09
I owe you at least a small beer!
It progressed slightly - getting server errors now but that could be down to all the ■■■■ I’ve been throwing at it.
So far it looks like this bypassed at least part of the content filtering.
EDITED TO ADD
Might have been a bit too optimistic. It just generates HTTP500s even with a clean boot, I think its breaking the content filter rather than bypass. Also it s a lot of characters when I only have 45 to play with.
But I am genuinely indebted to @HomeSen for the nudge here.
So, I am still stuck, but I’ve made some progress.
I can write to the HTTP referrer string and I can call request.environ.HTTP_REFERER in the SSTI, but it still remains static.
So for example: {{os.popen.request.environ.HTTP_REFERER}} doesn’t work but {{request.environ.HTTP_REFERER}} does actually print whatever I put in the referer field.
So for example: {{os.popen.request.environ.HTTP_REFERER}} doesn’t work but {{request.environ.HTTP_REFERER}} does actually print whatever I put in the referer field.
So clearly the OS module is not wholly imported, just os.popen.request. Maybe something useful in there? Not 100% sure though without being able to look at it.
Then again that has absolutely nothing to do with the HTTP_REFERER string unless you are down a rabbit hole, it does seem like a perfect XSS opportunity only question is how to trigger it…