Template Injection Emulator

mushorg / tanner

He who flays the hide

GNU General Public License v3.0

222 stars 103 forks source link

Template Injection Emulator #337

Closed rjt-gupta closed 5 years ago

rjt-gupta commented 5 years ago

Engines Supported:

Mako
Tornado

All of them are detected by using separate regex and have separate get_injection methods.

rjt-gupta commented 5 years ago

We need to fix the travis build first.

rnehra01 commented 5 years ago

Overall it looks pretty limited to me. I could get to work simple payloads like {{7*7}} which doesn't have serious impacts. Have you thought about complex payloads that can have high severity like reading local files, configs etc. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

rjt-gupta commented 5 years ago

So, payloads running commands or reading /etc/passwd can be done easily for mako, tornado template engines. For jinja2 I think a simple detection would work as its often detected using {{7*7}} type payloads.

Do you have something in mind for jinja2 engine?

rjt-gupta commented 5 years ago

So, the twig engine is working nicely along with from snare side as well. To run the emulator install composer then install twig using composer - composer require "twig/twig:^2.0" from /tanner directory.

It will create a folder vendor/ with all the twig files. autoload.php etc

Input format - ?a={{7*"7"}} Output should contain 49 which is twig engine specific.

rjt-gupta commented 5 years ago

Also, maybe we can include this vendor/ files as a part of project then user won't have to worry about anything. Is this feasible?

rnehra01 commented 5 years ago

@rjt-gupta What payloads are working for this emulator?

rjt-gupta commented 5 years ago

Engines - Mako, Tornado are working using docker and a custom image(base image - alphine).

Working complex payloads -

Mako - <%\nimport os\nx=os.uname()\n%>\n${x} Tornado - {%import os%}{{os.uname()}}

(run docker-compose build first)

coveralls commented 5 years ago

Pull Request Test Coverage Report for Build 1067

69 of 99 (69.7%) changed or added relevant lines in 4 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage decreased (-0.4%) to 76.585%

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
tanner/utils/docker_helper.py	24	54	44.44%
<!--	Total:	69	99	69.7%	-->

Totals
Change from base Build 1066:	-0.4%
Covered Lines:	1377
Relevant Lines:	1798

💛 - Coveralls

rjt-gupta commented 5 years ago

Ready.

rnehra01 commented 5 years ago

It gives me b'49' for {{7*7}}. Can you remove the b and quotes?

rjt-gupta commented 5 years ago

It gives me b'49' for {{7*7}}. Can you remove the b and quotes?

I am decoding the output already and apparently "b'49'" as a whole is a string, dont know why it is getting encoded twice.

So, i'll just strip this to remove b''.

rjt-gupta commented 5 years ago

Updated docker_helper to latest upgrade, updated lfi, cmd_exec, template_injection emulators also.

Added tests for this emulator.