search

vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface
GNU General Public License v3.0
819 stars 96 forks source link

False Positive #31

Closed 0xPugal closed 10 months ago

0xPugal commented 10 months ago

1st time python3 sstimap.py -u https://target.com/path?country=mc

[*] Freemarker plugin is testing rendering with tag '*'                                                                                                                              
[*] Freemarker plugin is testing }* code context escape with 6 variations                                                                                                            
[*] Freemarker plugin is testing blind injection                                                                                                                                     
[+] Freemarker plugin has confirmed blind injection
[+] SSTImap identified the following injection point:                                                                                                                                                                                                                                                                                                      
  GET parameter: country                                                                                                                                                             
  Engine: Freemarker                                                                                                                                                                 
  Injection: *                                                                                                                                                                       
  Context: text                                                                                                                                                                      
  OS: undetected                                                                                                                                                                     
  Technique: blind
  Capabilities:                                                                              -                                                                                        
    Shell command execution: ok (blind)                                                                                                                                              
    Bind and reverse shell: ok                                                                                                                                                       
    File write: ok (blind)                                                                                                                                                           
    File read: no                                                                                                                                                                        
    Code evaluation: no         

[+] Rerun SSTImap providing one of the following options:

2nd time python3 sstimap.py -u https://target.com/path?country=mc --os-shell

[*] Twig plugin is testing rendering with tag '*'                                                                                                                                    
[*] Twig plugin is testing }}*{{1 code context escape with 6 variations                                                                                                              
[*] Twig plugin is testing  %}* code context escape with 6 variations                                                                                                                
[*] Twig plugin is testing blind injection                                                                                                                                           
[*] Twig plugin is testing }}*{{1 code context escape with 6 variations                                                                                                              
[+] Twig plugin has confirmed blind injection                                                                                                                                        
[+] SSTImap identified the following injection point:                                                                                                                                                                                                                                                                                                                       
    GET parameter: country                                                                                                                                                               
    Engine: Twig                                                                                                                                                                         
    Injection: 1')}}*{{1                                                                                                                                                                 
    Context: code                                                                                                                                                                        
    OS: undetected                                                                                                                                                                       
    Technique: blind                                                                                                                                                                     
    Capabilities:   

        Shell command execution: no                                                                                                                                                          
        Bind and reverse shell: no                                                                                                                                                           
        File write: no                                                                                                                                                                       
        File read: no                                                                                                                                                                        
        Code evaluation: ok, php code (blind)                                                                                                                                                                                                                                                                                                                                 
[-] No system command execution capabilities have been detected on the target.
vladko312 commented 10 months ago

Have you tried increasing delay for blind injection detection?

alasalamont commented 10 months ago

Have you tried increasing delay for blind injection detection?

For blind injection, instead of time delay, I suggest do more step such as perform curl/wget/ping to Attacker. How does that sound?

vladko312 commented 10 months ago

@alasalamont These solutions require a lot of conditions to be met in order to succeed. Attacker must be accessible from the internet on some custom port and the target must be able to create connections as well as have the required tool installed. This is fine for advanced exploitation (reverse shell or OOB exfiltration), but not for initial detection.

A better solution would be making more tests with increased delay after the initial detection in order to verify the vulnerability.

vladko312 commented 10 months ago

Should be fixed in 1.2.0 Can you verify?

vladko312 commented 10 months ago

Closing for now, as the fix was provided in 1.2.0, but no confirmation was given