6. Template Injection -
■ User input is embedded in unsafe manner.
■ Confused by XSS.
Marketing application with email greeting
$output = $twig->render(“Dear, $_GET[‘name’]”, array("first_name" => $user.first_name) );
Name =Tester Name = {{7*7}}
> Dear,Tester > Dear, 49
Name = {{self}}
> Dear, Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not
be converted to string
7. ■ Detect –
Plain Text Context
- Can be confused with XSS
- {var} {{var}} ${var} <%var%> [% var %]
- Results in execution or error message.
- a{{var}}b
> Expect : ab or Error message
- a{{7*7}}b
> Expect : a49b
smarty=Hello {user.name}
> Hello user1
8. ■ Detect –
Code Context
- Results in blank results or error messages
- Need to breakout the syntax
- Results in execution or error message.
- personal_greeting=user.name<tag>
> Expect : Hello
- personal_greeting=user.name}}<tag>
> Expect : Hello user01<tag>
personal_greeting=user.name
> Hello user01
9. ■ Identify –
- Identify which template engine in use.
- {{7*’7’}} will result 49 in Twig and 7777777 in Jinja2
- Burp suite decision making tree to find SSTI
10. ■ Exploit –
- READ :
- Read the documentation.
- EXPLORE :
- Explore the environment
- Brute-force the variables
- ATTACK :
- Firm idea of attack surface.
11. ■ Exploit Development –
- Freemaker:
One of most famous java template languages.
The official website explains the dangers of allowing user-supplied templates:
Ref : http://freemarker.org/docs/app_faq.html#faq_template_uploading_security
One of the risk we found
12. ■ Exploit Development –
“new” built-in offers a possibility for exploitation.
- Are there any useful classes implementing TemplateModel?
One of these class names stands out - Execute
13. ■ Exploit Development –
Details confirm that function take input and executes.
- Let's develop our payload –
14. ■ Automated Tool –
- Tplmap :
Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with
several sandbox escape techniques to get access to the underlying operating system.
- Uses :
$ ./tplmap.py -u 'http://www.target.com/page?name=John’
- Link :
https://github.com/epinna/tplmap
- Burp Extension :
https://github.com/epinna/tplmap/blob/master/burp_extension/README.md
15. Demonstration -
■ Application used : Xtreme Vulnerable Web Application (XVWA)
■ Back-End Server : Apache
■ Template Engine : Twig
■ Back-End PL : PHP