mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-14 00:47:20 +00:00
SSTI update
This commit is contained in:
Swissky
parent
7ec97bb77e
commit
6ee918b060
1 changed files with 43 additions and 13 deletions
|
|
@ -4,49 +4,79 @@
|
|||
|
||||
## Summary
|
||||
|
||||
- [Templates Injections](#templates-injections)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Methodology](#methodology)
|
||||
- [References](#references)
|
||||
- [Tools](#tools)
|
||||
- [Methodology](#methodology)
|
||||
- [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [TInjA](https://github.com/Hackmanit/TInjA) - An effiecient SSTI + CSTI scanner which utilizes novel polyglots
|
||||
* [Hackmanit/TInjA](https://github.com/Hackmanit/TInjA) - An effiecient SSTI + CSTI scanner which utilizes novel polyglots
|
||||
```bash
|
||||
tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
|
||||
tinja url -u "http://example.com/" -d "username=Kirlia" -c "PHPSESSID=ABC123..."
|
||||
```
|
||||
|
||||
* [Tplmap](https://github.com/epinna/tplmap) - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
|
||||
* [epinna/tplmap](https://github.com/epinna/tplmap) - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
|
||||
```powershell
|
||||
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
|
||||
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
|
||||
```
|
||||
|
||||
* [SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [Tplmap](https://github.com/epinna/tplmap)
|
||||
* [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap)
|
||||
```powershell
|
||||
python3 ./sstimap.py -u 'https://example.com/page?name=John' -s
|
||||
python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade
|
||||
python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
|
||||
```
|
||||
|
||||
|
||||
## Methodology
|
||||
|
||||
### Identify the Vulnerable Input Field
|
||||
|
||||
The attacker first locates an input field, URL parameter, or any user-controllable part of the application that is passed into a server-side template without proper sanitization or escaping.
|
||||
|
||||
For example, the attacker might identify a web form, search bar, or template preview functionality that seems to return results based on dynamic user input.
|
||||
|
||||
**TIP**: Generated PDF files, invoices and emails usually use a template.
|
||||
|
||||
|
||||
### Inject Template Syntax
|
||||
|
||||
The attacker tests the identified input field by injecting template syntax specific to the template engine in use. Different web frameworks use different template engines (e.g., Jinja2 for Python, Twig for PHP, or FreeMarker for Java).
|
||||
|
||||
Common template expressions:
|
||||
|
||||
* `{{7*7}}` for Jinja2 (Python).
|
||||
* `#{7*7}` for Thymeleaf (Java).
|
||||
|
||||
Find more template expressions in the page dedicated to the technology (PHP, Python, etc).
|
||||
|
||||
|
||||
|
||||
|
||||
## Detection
|
||||
|
||||
In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability :
|
||||
In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability:
|
||||
|
||||
```ps1
|
||||
${{<%[%'"}}%\.
|
||||
```
|
||||
|
||||
The [Template Injection Table](https://github.com/Hackmanit/template-injection-table) is an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
|
||||
The [Hackmanit/Template Injection Table](https://github.com/Hackmanit/template-injection-table) is an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
|
||||
|
||||
|
||||
### Enumerate the Template Engine
|
||||
|
||||
Based on the successful response, the attacker determines which template engine is being used. This step is critical because different template engines have different syntax, features, and potential for exploitation. The attacker may try different payloads to see which one executes, thereby identifying the engine.
|
||||
|
||||
* **Python**: Django, Jinja2, Mako, ...
|
||||
* **Java**: Freemarker, Jinjava, Velocity, ...
|
||||
* **Ruby**: ERB, Slim, ...
|
||||
|
||||
|
||||
### Escalate to Code Execution
|
||||
|
||||
Once the template engine is identified, the attacker injects more complex expressions, aiming to execute server-side commands or arbitrary code.
|
||||
|
||||
|
||||
## References
|
||||
|
|
|
|||
Loading…
Reference in a new issue