Django.fun

Issues with Django automatically filtering template tags from database

Currently I'm putting together a deliberately vulnerable vm network for a training environment to do an exploitation and follow-on patch objective for my team. One of the vulnerabilities I'm looking to demonstrate is Server Side Template Injection via (django/jinja2) on a simple "blog" page with absolutely no filter on user input. The intake is working perfectly and storing in the sqlite db with no issues looking exactly as expected, however the problem is displaying this unsanitized user input. In fact, even while actively trying to force django to not escape or filter it continues to only display the plaintext entered by the user rather than interpret it as template tagging properly.

The Rendered Output:

The Rendered data, not interpreted properly as template tags

The Template Itself:

Template code, Apologies for the image but our ESXi is configured to disallow copy/paste The data stored in the sqlite db:

Sql database opened in a gui database viewer

And finally the views.py rendering it:

Once again, sorry for the images rather than code blocks, limitations on what I can do to the ESXi server and time restrictions demand it

For reference I am using Python version 3.9.10, and Django version 4.0.6. Is there a way to force the behavior I'm looking for or will I have to go in search of an older version without these protections and start over on the backend work?

Tutorials

Константы Python: Улучшение управляемости вашего кода

Современный Python: начинаем проект с pyenv и poetry

Настройка проекта Python — виртуальные среды и управление пакетами

Использование requests в Python — тайм-ауты, повторы, хуки

Понимание декораторов в Python

ProcessPoolExecutor в Python: полное руководство

map() против submit() с ProcessPoolExecutor в Python

Понимание атрибутов, словарей и слотов в Python

Полное руководство по slice в Python

Выпуск Django 4.0

Безопасное развертывание приложения Django с помощью Gunicorn, Nginx и HTTPS

Автоматический повтор невыполненных задач Celery

Django REST Framework и Elasticsearch

Докеризация Django с помощью Postgres, Gunicorn и Nginx

Асинхронные задачи с Django и Celery

Релизы безопасности Django: 3.2.4, 3.1.12 и 2.2.24

Выпуски исправлений ошибок Django: 3.2.3, 3.1.11 и 2.2.23

Эффективное использование сериализаторов Django REST Framework

Выпуски безопасности Django: 3.2.2, 3.1.10 и 2.2.22

Выпущенные релизы безопасности Django: 3.2.1, 3.1.9 и 2.2.21

View all tutorials →