Skip to content

Write UP - Langskip

Django - SSTI

Write UP - Langskip

Projet de Side Quest pour l'Ecole 2600
0xL4ughCTF
0xL4ughCTF
- OSINT
  OSINT
- Reverse Engineering
  Reverse Engineering
  - L4ugh CTF 2024 : easylogin
- Crypto
  Crypto
  - RSA GCD
- Web
  Web
  - L4ugh CTF 2024 : Micro
404CTF
404CTF
- Forensic
  Forensic
  - Le tir aux logs
- Pwn
  Pwn
  - Pseudoverflow
- Steganographie
  Steganographie
  - L'absence
- Web
  Web
AmsiCTF
AmsiCTF
- Crypto
  Crypto
  - Destruction
  - Prime suspects
BITskriegCTF
BITskriegCTF
- Pwn
  Pwn
  - MogamBro's Certainty Principle
- Reverse
  Reverse
  - Baby-rev
Bluehens
Bluehens
- Crypto
  Crypto
  - XS6 - CTR mode is just XOR
BraekerCTF
BraekerCTF
- Pwn
  Pwn
  - Embryobot
- Reverse
  Reverse
  - Binary shrink
- Web
  Web
  - Empty-execution
  - Stuffy
BreizhCTF
BreizhCTF
- Web
  Web
  - NginFail
CatTheFlag
CatTheFlag
- Web
  Web
  - Infection Web 1
CryptoHack
CryptoHack
DefCampCTF
DefCampCTF
- Crypto
  Crypto
  - ctr
GlacierCTF
GlacierCTF
- Blockchain
  Blockchain
  - GlacierCTF 2024 - Frozen in time
GreHackCTF
GreHackCTF
- Pwn
  Pwn
  - BabyPwn
HTB
HTB
- Box
  Box
  - Blue
- Crypto
  Crypto
  - Exciting Outpost Recon
- WEB
  WEB
  - Dynamic path
Hackday qualifs
Hackday qualifs
- Crypto
  Crypto
  - Baby Crypto
- Forensic
  Forensic
  - Baby Forensic
  - Blueprint Mirage
- MISC
  MISC
  - The Trap Fish
- Reverse
  Reverse
  - Oh my PAM
Hacktheboo
Hacktheboo
- Crypto
  Crypto
  - Hybrid Unifier
Hackvens
Hackvens
- Forensics
  Forensics
  - Analyse me
HeroCTF
HeroCTF
- Pwn
  Pwn
  - Heappie
- Crypto
  Crypto
  - HeroCTF v6 - Halloween
  - HeroCTF v6 - Interpolation
JerseyCTF
JerseyCTF
- MISC
  MISC
- OSINT
  OSINT
PatriotCTF
PatriotCTF
- Misc
  Misc
  - Let's play hide & seek
  - Making Baking Pancakes
PurplePillCTF
PurplePillCTF
- Crypto
  Crypto
  - Legend
Ringzer0CTF
Ringzer0CTF
- Web
  Web
WOCSA
WOCSA
- Web
  Web
  - CSRF multiple vulnerabilities
  - Django - guessable token
  - IDOR
  - RCE through Deserialization
  - SQL Injection
  - Django - SSTI Django - SSTI
    Table of contents
    
    Description
    
    Enoncé
    
    Solution détaillée
    
    Exploitation
    
    PoC
    
    Risk
    
    Remediation
  - XSS from Tutorial Title
  - XXE
  - Django debug port active
  - Predictable Reset Token

Django - SSTI

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

Enoncé

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Solution détaillée

Exploitation

Create a user with a template interpration name like {% debug %}. Then connect yourself and logout, the name will be render and print django debug datas.

PoC

We can use this username {{ messages.storages.0.signer.key }} to leak the jwt secret or we can XSS with {{ '<script>alert(3)</script>' }}

Risk

There is a high risk to XSS, leak data, even RCE in certains circumstances

Remediation

Disable the rendering of username in logout