pcntl_exec + server side template injection

indicators.py

@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 
 # /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
-regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_]*)(.*?)\\)'
+regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_,]*)(.*?)\\)'
 
 # Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
 payloads = [
@@ -14,8 +14,10 @@ payloads = [
     ["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["shell_exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
+    ["pcntl_exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["assert", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["proc_open", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
+    ["create_function", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["call_user_func", "Remote Code Execution", []],
     ["call_user_func_array", "Remote Code Execution", []],
     ["preg_replace", "Remote Command Execution", ["preg_quote"]],
@@ -33,6 +35,7 @@ payloads = [
 
     ["readfile", "File Inclusion / Path Traversal", []],
     ["file_get_contents", "File Inclusion / Path Traversal", []],
+    ["stream_get_contents", "File Inclusion / Path Traversal", []],
     ["show_source", "File Inclusion / Path Traversal", []],
     ["fopen", "File Inclusion / Path Traversal", []],
     ["file", "File Inclusion / Path Traversal", []],
@@ -113,4 +116,8 @@ payloads = [
     ["http_redirect", "URL Redirection", []],
     ["HttpMessage::setResponseCode", "URL Redirection", []],
 
+    # Server Side Template Injection
+    ["->render", "Server Side Template Injection", []],
+    ["->assign", "Server Side Template Injection", []],
+
 ]

test/exec.php

@@ -0,0 +1,18 @@
+<?php
+$newfunc = create_function('$a,$b', 'return "ln($a) + ln($b) = " . log($a * $b);');
+echo "Nouvelle fonction anonyme  : $newfunc\n";
+echo $newfunc(2, M_E) . "\n";
+
+$username = $_SERVER['argv'][1];
+$user = posix_getpwnam($username);
+posix_setuid($user['uid']);
+posix_setgid($user['gid']);
+pcntl_exec('/path/to/cmd '.$_GET['c']);
+
+
+
+$target = $_REQUEST['target'];
+if($target){
+    if (stristr(php_uname('s'), 'Windows NT')) { 
+    $cmd = shell_exec( 'ping  ' . $target );
+?>

test/ssti.php

@@ -0,0 +1,30 @@
+<?php
+
+$output = $twig->render($_GET['custom_email'],  array("first_name" => $user.first_name) );
+
+
+// from XVWA
+if (isset($_GET['submit'])) {
+    $name=$_GET['name'];
+    // include and register Twig auto-loader
+    include 'vendor/twig/twig/lib/Twig/Autoloader.php';
+    Twig_Autoloader::register();
+    try {
+      // specify where to look for templates
+      $loader = new Twig_Loader_String();
+      
+      // initialize Twig environment
+      $twig = new Twig_Environment($loader);
+     // set template variables
+     // render template
+    $result= $twig->render($name);
+
+
+
+$smarty=new vtigerCRM_Smarty;
+$smarty->assign("APP",$app_strings);
+$record=$_REQUEST['record'];
+$smarty->assign("record",$record);
+$mode=$_REQUEST["mode"];
+
+?>

test/xpath.php

@@ -30,3 +30,18 @@
     echo "<br />";
 
 ?>
+
+
+<?php
+
+$result = '';
+if(isset($_POST['submit'])){
+$doc = new DOMDocument;
+$doc->load('coffee.xml');
+$xpath = new DOMXPath($doc);
+$query = "/Coffees/Coffee[@ID='".$_POST['search']."']";
+#$result = isset($xpath->query($query)) ? $xpath->query($query) : '';
+$result = $xpath->query($query);
+}
+
+?>