0x1 Posted November 12, 2019 Share Posted November 12, 2019 Server-Side Template Injection and Code Injection Detection and Exploitation Tool This is the hidden content, please Sign In or Sign Up Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests. It can exploit several code context and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines. Server-Side Template Injection Assume that you are auditing a web site that generates dynamic pages using templates composed with user-provided values, such as this web application written in Python and Flask that uses Jinja2 template engine in an unsafe way. This is the hidden content, please Sign In or Sign Up From a black box testing perspective, the page reflects the value similarly to a XSS vulnerability, but also computes basic operation at runtime disclosing its SSTI nature. This is the hidden content, please Sign In or Sign Up Exploitation Tplmap is able to detect and exploit SSTI in a range of template engines to get access to the underlying file system and operating system. Run it against the URL to test if the parameters are vulnerable. This is the hidden content, please Sign In or Sign Up Use --os-shell option to launch a pseudo-terminal on the target. This is the hidden content, please Sign In or Sign Up Supported template engines Tplmap supports over 15 template engines, unsandboxed template engines and generic eval()-like injections. Engine Remote Command Execution Blind Code evaluation File read File write Mako ✓ ✓ Python ✓ ✓ Jinja2 ✓ ✓ Python ✓ ✓ Python (code eval) ✓ ✓ Python ✓ ✓ Tornado ✓ ✓ Python ✓ ✓ Nunjucks ✓ ✓ JavaScript ✓ ✓ Pug ✓ ✓ JavaScript ✓ ✓ doT ✓ ✓ JavaScript ✓ ✓ Marko ✓ ✓ JavaScript ✓ ✓ JavaScript (code eval) ✓ ✓ JavaScript ✓ ✓ Dust (<= [email protected]) ✓ ✓ JavaScript ✓ ✓ EJS ✓ ✓ JavaScript ✓ ✓ Ruby (code eval) ✓ ✓ Ruby ✓ ✓ Slim ✓ ✓ Ruby ✓ ✓ ERB ✓ ✓ Ruby ✓ ✓ Smarty (unsecured) ✓ ✓ PHP ✓ ✓ PHP (code eval) ✓ ✓ PHP ✓ ✓ Twig (<=1.19) ✓ ✓ PHP ✓ ✓ Freemarker ✓ ✓ × ✓ ✓ Velocity ✓ ✓ × ✓ ✓ Twig (>1.19) × × × × × Smarty (secured) × × × × × Dust (> [email protected]) × × × × × Burp Suite Plugin See This is the hidden content, please Sign In or Sign Up Download && More info This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts