{"id":15178,"date":"2017-02-27T12:45:36","date_gmt":"2017-02-27T17:45:36","guid":{"rendered":"http:\/\/pre-www.okiok.com\/server-side-template-injection-from-detection-to-remote-shell\/"},"modified":"2019-05-22T15:09:44","modified_gmt":"2019-05-22T20:09:44","slug":"server-side-template-injection-from-detection-to-remote-shell","status":"publish","type":"post","link":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/","title":{"rendered":"Server Side Template Injection: from detection to Remote shell"},"content":{"rendered":"

Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.<\/strong><\/p>\n

1 – What\u2019s a template engine?<\/u><\/p>\n

Template engines are becoming more and more common in modern Web applications.<\/p>\n

Basically, used to populate some dynamic data into web pages, it helps in separating data processing logic and presentation code into two distinct parts.<\/p>\n

This separation makes the code easier to modify and maintain and allows developers to produce desired content types. The template is created one time by developers and processed by a template engine where the desired information is inserted into the template tag blocks.<\/p>\n

The uses are varied such as displaying information about users, products or even bulk emails for marketing applications and are commonly implemented by Wikis, CMS, and other blog services.<\/p>\n

Java (freemarker, Velocity), PHP (smarty, twig), python (Jinja, tornado), ruby (Liquid) have a templating engine and many other languages use libraries to do this kind of work [1].<\/p>\n

2 – What\u2019s a template injection?<\/u><\/p>\n

James Kettle (portSwigger) introduced for the first time this vulnerability during Blackhat 2015. If it is not already done, I invite you to read his great post blog about it [2].<\/p>\n

A template injection may occur when an untrusted input is concatenated to a template file without being passed as context to a render method. Either implemented on purpose or by error, developers may introduce this kind of vulnerability within their Web applications.<\/p>\n

SSTI attacks can be often mistaken with XSS vulnerabilities. From a pen tester point of view, the XSS attack is well-known and often straightforward to exploit but the SSTI vulnerability can be missed it. The risk is all the greater in that it may lead to an arbitrary remote code execution.<\/p>\n

3 – The mission:<\/u><\/p>\n

Enough with the theory, let\u2019s move on to practice. We are going to use the following proof of concept code written in python to illustrate this vulnerability [3].<\/p>\n

import tornado.ioloop\r\nimport tornado.web\r\nimport tornado.template\r\n\r\n\r\nclass MainHandler(tornado.web.RequestHandler):\r\n    def get(self):\r\n        TEMPLATE = '''\r\n<html>\r\n  <head>\r\n    <title>SSTI POC<\/title>\r\n  <\/head>\r\n  <body>\r\n    \r\n\r\n<h2>\r\n      Hello %s !\r\n    <\/h2>\r\n\r\n\r\n  <\/body>\t\r\n<\/html>\r\n''' % (self.get_argument('param', ''))\r\n        t = tornado.template.Template(TEMPLATE)\r\n        self.write(t.generate())\r\n\r\n\r\nif __name__ == "__main__":\r\n    application = tornado.web.Application([(r"\/", MainHandler),],debug=True)\r\n    application.listen(8888)\r\n    tornado.ioloop.IOLoop.current().start()\r\n<\/pre>\n
Let’s walk through James’ methodology by firing up the tornado application and see what it looks like:
\n\"\"<\/p>\n
So, we have an input parameter that prints the result into the template.<\/p>\n
The first thing to do, it\u2019s to identify if the template engine is vulnerable or not.<\/p>\n
A simple mathematical operation can be used for this purpose:<\/p>\n
\"\"<\/p>\n
This operation is evaluated and get back to the client. We\u2019ve got something interesting. Let\u2019s continue our investigation.<\/p>\n
Based on tornado documentation [4], we learn that expressions are surrounded by double curly braces like this {{python expression}}, evaluated and got back to the client. Any python expression can be put in it. By looking into further documentation, we also learn that we can surround python modules by using the following template directive {% import module<\/em> %}.<\/p>\n
We know now exactly what we have access to. From what we have learned, the next step leads us to craft an exploit. Without too much difficulty, we got a remote code execution.<\/p>\n
\"\"<\/p>\n
Finally, gaining control over the service is just a matter of time. Let\u2019s complete the total compromise with a remote shell:<\/p>\n
\"\"<\/p>\n
Don\u2019t forget to fire up a netcat listener on your local machine:<\/p>\n
\r\ngdieu:~ admin$ ncat -v -l -p 4444\r\n\r\nNcat: Version 7.00 ( https:\/\/nmap.org\/ncat )\r\n\r\nNcat: Listening on :::4444\r\n\r\nNcat: Listening on 0.0.0.0:4444\r\n\r\nNcat: Connection from 192.168.0.107.\r\n\r\nNcat: Connection from 192.168.0.107:39342.\r\n\r\n$ id\r\n\r\nuid=1000(gdieu) gid=1000(gdieu) groups=1000(gdieu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)\r\n<\/pre>\n
 <\/p>\n
Mission accomplished, we got a remote shell on the vulnerable server. That\u2019s all for this time!<\/p>\n
G\u00e9r\u00f4me Dieu<\/strong>, OSCP<\/p>\n
IT Security Consultant<\/span><\/i><\/p>\n
___________________________________________________<\/p>\n[1] https:\/\/en.wikipedia.org\/wiki\/Comparison_of_web_template_engines<\/p>\n[2] http:\/\/blog.portswigger.net\/2015\/08\/server-side-template-injection.html<\/p>\n[3] https:\/\/opsecx.com\/index.php\/2016\/07\/03\/server-side-template-injection-in-tornado\/<\/p>\n[4] http:\/\/www.tornadoweb.org\/en\/stable\/template.html?highlight=templating#syntax-reference<\/p>\n","protected":false},"excerpt":{"rendered":"
Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications. 1 – What\u2019s a template engine? Template engines are becoming more and more common in modern Web applications. Basically, used […]<\/p>\n","protected":false},"author":14,"featured_media":15246,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[201,173],"tags":[],"class_list":["post-15178","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-fr","category-blogue-fr"],"yoast_head":"\nServer Side Template Injection: From detection to Remote shell | OKIOK<\/title>\n<meta name=\"description\" content=\"Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Server Side Template Injection: From detection to Remote shell | OKIOK\" \/>\n<meta property=\"og:description\" content=\"Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.\" \/>\n<meta property=\"og:site_name\" content=\"OKIOK - Securit\u00e9 dans un monde en changement\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/okiokdata\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-27T17:45:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-05-22T20:09:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"530\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"G\u00e9r\u00f4me Dieu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@OKIOKdata\" \/>\n<meta name=\"twitter:site\" content=\"@OKIOKdata\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"G\u00e9r\u00f4me Dieu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Server Side Template Injection: From detection to Remote shell | OKIOK","description":"Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.","robots":{"index":"noindex","follow":"follow"},"og_locale":"fr_FR","og_type":"article","og_title":"Server Side Template Injection: From detection to Remote shell | OKIOK","og_description":"Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.","og_site_name":"OKIOK - Securit\u00e9 dans un monde en changement","article_publisher":"https:\/\/www.facebook.com\/okiokdata\/","article_published_time":"2017-02-27T17:45:36+00:00","article_modified_time":"2019-05-22T20:09:44+00:00","og_image":[{"width":800,"height":530,"url":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg","type":"image\/jpeg"}],"author":"G\u00e9r\u00f4me Dieu","twitter_card":"summary_large_image","twitter_creator":"@OKIOKdata","twitter_site":"@OKIOKdata","twitter_misc":{"\u00c9crit par":"G\u00e9r\u00f4me Dieu","Dur\u00e9e de lecture estim\u00e9e":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#article","isPartOf":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/"},"author":{"name":"G\u00e9r\u00f4me Dieu","@id":"https:\/\/www.okiok.com\/fr\/#\/schema\/person\/41c8871c22c3e46a29190b6da19a9519"},"headline":"Server Side Template Injection: from detection to Remote shell","datePublished":"2017-02-27T17:45:36+00:00","dateModified":"2019-05-22T20:09:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/"},"wordCount":734,"commentCount":0,"publisher":{"@id":"https:\/\/www.okiok.com\/fr\/#organization"},"image":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#primaryimage"},"thumbnailUrl":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg","articleSection":["Blog","Blogue"],"inLanguage":"fr-FR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/","url":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/","name":"Server Side Template Injection: From detection to Remote shell | OKIOK","isPartOf":{"@id":"https:\/\/www.okiok.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#primaryimage"},"image":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#primaryimage"},"thumbnailUrl":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg","datePublished":"2017-02-27T17:45:36+00:00","dateModified":"2019-05-22T20:09:44+00:00","description":"Today, let\u2019s talk about template engines and the resulting vulnerabilities, the service side template injection attacks. In this post, we will discuss some security concerns regarding the use of template engines in modern Web applications.","breadcrumb":{"@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#primaryimage","url":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg","contentUrl":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/02\/800px-nanoscience_high-performance_computing_facility.jpg","width":800,"height":530,"caption":"Background image servers"},{"@type":"BreadcrumbList","@id":"https:\/\/www.okiok.com\/fr\/server-side-template-injection-from-detection-to-remote-shell\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/prod.okiok.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Server Side Template Injection: from detection to Remote shell"}]},{"@type":"WebSite","@id":"https:\/\/www.okiok.com\/fr\/#website","url":"https:\/\/www.okiok.com\/fr\/","name":"OKIOK - Securit\u00e9 dans un monde en changement","description":"","publisher":{"@id":"https:\/\/www.okiok.com\/fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.okiok.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/www.okiok.com\/fr\/#organization","name":"Okiok","url":"https:\/\/www.okiok.com\/fr\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.okiok.com\/fr\/#\/schema\/logo\/image\/","url":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/06\/logo-okiok-2.png","contentUrl":"https:\/\/www.okiok.com\/wp-content\/uploads\/2017\/06\/logo-okiok-2.png","width":300,"height":369,"caption":"Okiok"},"image":{"@id":"https:\/\/www.okiok.com\/fr\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/okiokdata\/","https:\/\/x.com\/OKIOKdata","https:\/\/www.linkedin.com\/company-beta\/119436\/"]},{"@type":"Person","@id":"https:\/\/www.okiok.com\/fr\/#\/schema\/person\/41c8871c22c3e46a29190b6da19a9519","name":"G\u00e9r\u00f4me Dieu","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.okiok.com\/fr\/#\/schema\/person\/image\/","url":"https:\/\/www.okiok.com\/wp-content\/litespeed\/avatar\/94379cc9a578dab87d99e6e0140b4b7d.jpg?ver=1775253939","contentUrl":"https:\/\/www.okiok.com\/wp-content\/litespeed\/avatar\/94379cc9a578dab87d99e6e0140b4b7d.jpg?ver=1775253939","caption":"G\u00e9r\u00f4me Dieu"}}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/posts\/15178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/comments?post=15178"}],"version-history":[{"count":2,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/posts\/15178\/revisions"}],"predecessor-version":[{"id":15245,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/posts\/15178\/revisions\/15245"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/media\/15246"}],"wp:attachment":[{"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/media?parent=15178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/categories?post=15178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okiok.com\/fr\/wp-json\/wp\/v2\/tags?post=15178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}