Open wh1t3p4wn48 opened 2 years ago
Same problem in XVWA app when testing SSTI.
I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'
The script crashed at Twig plugin blind injection.
[+] Tplmap 0.5 Automatic Server-Side Template Injection Detection and Exploitation Tool [+] Testing if GET parameter 'message' is injectable [+] Smarty plugin is testing rendering with tag '*' [+] Smarty plugin is testing blind injection [+] Mako plugin is testing rendering with tag '${*}' [+] Mako plugin is testing blind injection [+] Python plugin is testing rendering with tag 'str(*)' [+] Python plugin is testing blind injection [+] Tornado plugin is testing rendering with tag '{{*}}' [+] Tornado plugin is testing blind injection [+] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin is testing blind injection [+] Twig plugin is testing rendering with tag '{{*}}' [+] Twig plugin is testing blind injection [!][tplmap] Exiting: 'bool' object has no attribute 'replace'
If the Twig blind template is excluded the injection works.
[+] Testing if GET parameter 'message' is injectable [+] Smarty plugin is testing rendering with tag '*' [+] Smarty plugin is testing blind injection [+] Mako plugin is testing rendering with tag '${*}' [+] Mako plugin is testing blind injection [+] Python plugin is testing rendering with tag 'str(*)' [+] Python plugin is testing blind injection [+] Tornado plugin is testing rendering with tag '{{*}}' [+] Tornado plugin is testing blind injection [+] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin is testing blind injection [+] Freemarker plugin is testing rendering with tag '*' [+] Freemarker plugin is testing blind injection [+] Velocity plugin is testing rendering with tag '*' [+] Velocity plugin is testing blind injection [+] Slim plugin is testing rendering with tag '"#{*}"' [+] Slim plugin is testing blind injection [+] Erb plugin is testing rendering with tag '"#{*}"' [+] Erb plugin has confirmed injection with tag '"#{*}"' [+] Tplmap identified the following injection point: GET parameter: message Engine: Erb Injection: "#{*}" Context: text OS: x86_64-linux-gnu Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, ruby code
How do you exclude an engine. I could only find -e
to include engines.
I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'
The script crashed at Twig plugin blind injection.
If the Twig blind template is excluded the injection works.