Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Twig plugin blind injection exception - crash #102

Open
wh1t3p4wn48 opened this issue Mar 13, 2022 · 2 comments
Open

Twig plugin blind injection exception - crash #102

wh1t3p4wn48 opened this issue Mar 13, 2022 · 2 comments

Comments

@wh1t3p4wn48
Copy link

I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic

python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'

The script crashed at Twig plugin blind injection.

[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Twig plugin is testing rendering with tag '{{*}}'
[+] Twig plugin is testing blind injection
[!][tplmap] Exiting: 'bool' object has no attribute 'replace'

If the Twig blind template is excluded the injection works.

[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '*'
[+] Velocity plugin is testing blind injection
[+] Slim plugin is testing rendering with tag '"#{*}"'
[+] Slim plugin is testing blind injection
[+] Erb plugin is testing rendering with tag '"#{*}"'
[+] Erb plugin has confirmed injection with tag '"#{*}"'
[+] Tplmap identified the following injection point:

  GET parameter: message
  Engine: Erb
  Injection: "#{*}"
  Context: text
  OS: x86_64-linux-gnu
  Technique: render
  Capabilities:

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, ruby code
@GloryToMoon
Copy link

Same problem in XVWA app when testing SSTI.

@sakhan007
Copy link

I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic

python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'

The script crashed at Twig plugin blind injection.

[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Twig plugin is testing rendering with tag '{{*}}'
[+] Twig plugin is testing blind injection
[!][tplmap] Exiting: 'bool' object has no attribute 'replace'

If the Twig blind template is excluded the injection works.

[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '*'
[+] Velocity plugin is testing blind injection
[+] Slim plugin is testing rendering with tag '"#{*}"'
[+] Slim plugin is testing blind injection
[+] Erb plugin is testing rendering with tag '"#{*}"'
[+] Erb plugin has confirmed injection with tag '"#{*}"'
[+] Tplmap identified the following injection point:

  GET parameter: message
  Engine: Erb
  Injection: "#{*}"
  Context: text
  OS: x86_64-linux-gnu
  Technique: render
  Capabilities:

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, ruby code

How do you exclude an engine. I could only find -e to include engines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sakhan007 @GloryToMoon @wh1t3p4wn48