From 89f080761ded80fa6d331bfacabeaa406ff8981e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 7 Mar 2026 01:52:21 +0000 Subject: [PATCH] Add content from: Metasploit Wrap-Up 03/06/2026 --- .../jinja2-ssti.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md index d9f6d73e5e8..f8cd019aa74 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md +++ b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md @@ -354,8 +354,22 @@ Read the request in the file, PAYLOADreplace it with the actual payload and subm The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off. ``` + +## Authenticated Template Preview SSTI (Jinja2) + +Some apps let authenticated users preview reporting/email templates. If the preview endpoint evaluates user-supplied Jinja2 without a sandbox, the preview becomes an SSTI sink and can reach RCE. + +Typical exploitation workflow: +1. Authenticate to the app API (often a token-based API). +2. Discover the API base URL from a client-side config (for example `/env-config.js`). +3. Submit a malicious template to the preview endpoint to trigger server-side execution. + +Metasploit example: `linux/http/tacticalrmm_ssti_rce_cve_2025_69516` automates auth + API discovery + preview exploitation for a Tactical RMM deployment. + + ## References +- [https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-06-2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-06-2026) - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2) - Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python3). - [https://twitter.com/SecGus/status/1198976764351066113](https://twitter.com/SecGus/status/1198976764351066113) @@ -363,4 +377,3 @@ The request will be urlencoded by default according to the HTTP format, which ca {{#include ../../banners/hacktricks-training.md}} -