search

epinna / tplmap

Server-Side Template Injection and Code Injection Detection and Exploitation Tool
GNU General Public License v3.0
3.75k stars 670 forks source link

Code evaluation: ok, php code (blind) #35

Closed riramar closed 6 years ago

riramar commented 6 years ago

Got the results below but it doesn't give any options to rerun. Is there a way to take some advantage from that?

[+] Tplmap 0.4
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'fromURI' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing }*{ code context escape with 65 variations
[+] Smarty plugin is testing }{/if}{if 1}* code context escape with 65 variations
[+] Smarty plugin is testing  var="" value=""}{assign var="" value=""}* code context escape with 65 variations
[+] Smarty plugin is testing blind injection
[+] Smarty plugin is testing }*{ code context escape with 65 variations
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:

  GET parameter: fromURI
  Engine: Smarty
  Injection: 1))}*{
  Context: code
  OS: undetected
  Technique: blind
  Capabilities:

   Shell command execution: no
   Bind and reverse shell: no
   File write: no
   File read: no
   Code evaluation: ok, php code (blind)

[+] Rerun tplmap providing one of the following options:

root@zion:~/tplmap#
its0x08 commented 6 years ago

Im having almost the same but with a python webapp ! Any fix or way to exploit it?!

epinna commented 6 years ago

That's probably a false postive. Blind testing is time-based, so slowing down application/network would result as false positive. If you want to investigate the low-level requests, proxify tplmap and analyze the positive requests.

jx6f commented 6 years ago

I confirmed that the problem is reproduced on the test environment of tplmap.

Reproduction procedure:

  1. Clean and run the tplmap test environment cd /path/to/tplmap/docker-envs; docker-compose rm -f && docker-compose up tplmap_test_php

  2. Confirm that smarty-3.1.29-secured.php is not injectable

    python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-secured.php?inj=*&blind=1' -e smarty
[+] Tplmap 0.4
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[!][checks] Tested parameters appear to be not injectable. Try to increase '--level' value to perform more tests.

  3. Confirm that smarty-3.1.29-unsecured.php is injectable

    python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-unsecured.php?inj=*&blind=1' -e smarty
[+] Tplmap 0.4
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:

  GET parameter: inj
  Engine: Smarty
  Injection: *
  Context: text
  OS: undetected
  Technique: blind
  Capabilities:

   Shell command execution: ok (blind)
   Bind and reverse shell: ok
   File write: ok (blind)
   File read: no
   Code evaluation: ok, php code (blind)

[+] Rerun tplmap providing one of the following options:

    --os-shell              Run shell on the target
    --os-cmd            Execute shell commands
    --bind-shell PORT           Connect to a shell bind to a target port
    --reverse-shell HOST PORT   Send a shell back to the attacker's port
    --upload LOCAL REMOTE   Upload files to the server

  4. Scan again smarty-3.1.29-secured.php, then it becomes injectable

    python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-secured.php?inj=*&blind=1' -e smarty  
[+] Tplmap 0.4
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:

  GET parameter: inj
  Engine: Smarty
  Injection: *
  Context: text
  OS: undetected
  Technique: blind
  Capabilities:

   Shell command execution: no
   Bind and reverse shell: no
   File write: no
   File read: no
   Code evaluation: ok, php code (blind)

[+] Rerun tplmap providing one of the following options:

Now, analyzing without using tplmap.

  1. Confirm that smarty-3.1.29-secured.php is not injectable

    • request 

      GET /smarty-3.1.29-secured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
    • response(return immediately) 
      <br />
<b>Fatal error</b>:  Uncaught  --&gt; Smarty Compiler: Syntax error in template &quot;string:{php}sleep(4);{/php}&quot;  on line 1 &quot;{php}sleep(4);{/php}&quot; {php}{/php} tags not allowed. Use SmartyBC to enable them &lt;-- 
  thrown in <b>/tests/lib/smarty-3.1.29/libs/sysplugins/smarty_internal_templatecompilerbase.php</b> on line <b>1</b><br />

  2. Confirm that smarty-3.1.29-unsecured.php is injectable(blind)

    • request

      GET /smarty-3.1.29-unsecured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
    • response(return after 4 seconds) 
      J7VQvumBFc

  3. Test again smarty-3.1.29-secured.php, then it becomes injectable(blind)

    • request 

      GET /smarty-3.1.29-secured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
    • response(return after 4 seconds) 
      JLaS43hi2D

I believe that this strange behavior is caused by Smarty's cache mechanism. I straced php process, and then I saw same template cache file was re-used. I know this is the rare case, so it might not be match with @riramar reported case.

epinna commented 6 years ago

Fixed @jx6f issue, closing this.