EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps...

16
EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018

Transcript of EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps...

Page 1: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP

BY: DIVINE SELORM TSA18 AUG 2018

Page 2: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Outline• Introduction• Template Engines• SSTI• SSTI Methodology• Tplmap• Demo• Remediation

Page 3: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

What is a template engine?• Helps populate dynamic data into modern web pages• Enables developers to separate data processing logic

and presentation code• Offers rich functionality through Wikis, CMS, blogs• Uses:– Displays information about users, products, companies– Displays gallery of photos, videos..– Sends bulk emails

Page 4: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Example: jinja

Page 5: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Popular Template Engines

• PHP – Smarty, Twigs

• JAVA – Velocity, Freemaker

• Python – JINJA, Mako, Tornado

• JavaScript – Jade, Rage

• Ruby - Liquid

Page 6: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

What is template injection?

Page 7: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

What is template injection?• Occurs when invalid user input is embedded into the template

engine• Often XSS attack occurs but SSTI can be missed• Can lead to a remote code execution (RCE)• Developer error or intentional exposure

Page 8: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Methodology (based on James Kettle’s research)

https://portswigger.net/blog/server-side-template-injection

Page 9: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Detect

• Wappalyzer + builtwith + vulners scanner• Test fuzzing – Tips:– Trying a basic XSS– Trying a math expression {{2*2}}

Page 10: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Identify

Page 11: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Exploit

• Read

• Explore

• Attack

Page 12: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Tplmap

• Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

• The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.

https://github.com/epinna/tplmap

Page 13: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Demo - Tplmap

Page 14: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Remediation

• Sanitization– Sanitize user input before passing it into the

templates• Complementary approach– Use a sandbox within a safe environment

Page 15: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

Q&A

Page 16: EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP · What is a template engine? •Helps populate dynamic data into modern web pages •Enables developers to separate data processing

References

• https://portswigger.net/blog/server-side-template-injection

• https://github.com/epinna/tplmap• https://www.okiok.com/server-side-template-injection-from-detection-to-remote-shell/

• https://www.we45.com/blog/server-side-template-injection-a-crash-course-

https://portswigger.net/blog/server-side-template-injection
https://github.com/epinna/tplmap
https://www.okiok.com/server-side-template-injection-from-detection-to-remote-shell/
https://www.we45.com/blog/server-side-template-injection-a-crash-course-

Nov2019... · Web viewThis is a Word template. Populate fields with your information and save file as your name. Then e mail the completed form to pdregistration@grapevinetexas.gov.

Nov2019... · Web viewThis is a Word template. Populate fields with your information and save file as your name. Then e mail the completed form to [email protected].

LIDAR MAPPING TECHNOLOGY TO POPULATE GREEN AREAS GIS

LIDAR MAPPING TECHNOLOGY TO POPULATE GREEN AREAS GIS

Pitching Research - University of Maltaelement. I also give some general guidance on how to populate each segment of the template. For ease of reference below, the key elements of

Pitching Research - University of Maltaelement. I also give some general guidance on how to populate each segment of the template. For ease of reference below, the key elements of

Proceedings Template - WORDopim.wharton.upenn.edu/~sok/sokpapers/2010/A_New_…  · Web viewCreating and exploiting aggregate information from text using a novel Categorized Document

Proceedings Template - WORDopim.wharton.upenn.edu/~sok/sokpapers/2010/A_New_…  · Web viewCreating and exploiting aggregate information from text using a novel Categorized Document

Using the Table API. Standard Uses of API Populate Columns via Sequences Insert Default Values instead of nulls Populate Autogen Columns –Date Created,

Using the Table API. Standard Uses of API Populate Columns via Sequences Insert Default Values instead of nulls Populate Autogen Columns –Date Created,

Exploiting Symbian - MUlliNER.ORG · Collin Mulliner Exploiting Symbian 25C3 Berlin 2008

Exploiting Symbian - MUlliNER.ORG · Collin Mulliner Exploiting Symbian 25C3 Berlin 2008

Exploiting Parallelism

Exploiting Parallelism

Populate PDF Forms From Data Files using … PDF Forms From Data Files using AutoMailMerge for Adobe Acrobat® What is it for? Populate a single PDF form template with data to produce

Populate PDF Forms From Data Files using … PDF Forms From Data Files using AutoMailMerge for Adobe Acrobat® What is it for? Populate a single PDF form template with data to produce

Exploiting Symbian

Exploiting Symbian

AGGREGATING MULTIPLE SOURCES TO PRE-POPULATE NEW REPOSITORIES

AGGREGATING MULTIPLE SOURCES TO PRE-POPULATE NEW REPOSITORIES

Exploiting Context

Exploiting Context

Exploiting Complexity

Exploiting Complexity

Importing Asset Data Using the Import Data via …Steps Required to Import Asset Data 1. Configure spreadsheet template. 2. Populate the spreadsheet file. 3. Upload the data. 4. Review

Importing Asset Data Using the Import Data via …Steps Required to Import Asset Data 1. Configure spreadsheet template. 2. Populate the spreadsheet file. 3. Upload the data. 4. Review

EMR Data Migration Project Plan - OntarioMD support/emr...  · Web viewEMR and Data Migration Plan Template (V1.0) ... and the overall size of the company ... Begin to populate the

EMR Data Migration Project Plan - OntarioMD support/emr...  · Web viewEMR and Data Migration Plan Template (V1.0) ... and the overall size of the company ... Begin to populate the

Minifigure Customization: Populate Your World!

Minifigure Customization: Populate Your World!

Exploiting with Metasploi Exploiting with Metasploit - hacking

Exploiting with Metasploi Exploiting with Metasploit - hacking

Populate EMRs Automatically, Using Dictationjustmytypetranscription.com/uploads/3/4/1/5/34156323/... · 2020-04-16 · Populate EMRs Automatically, Using Dictation Emdat’s DaRT™

Populate EMRs Automatically, Using Dictationjustmytypetranscription.com/uploads/3/4/1/5/34156323/... · 2020-04-16 · Populate EMRs Automatically, Using Dictation Emdat’s DaRT™

Exploiting material

Exploiting material

Exploiting Tal

Exploiting Tal

Exploiting Chaos

Exploiting Chaos