Day 6/100 Hack and Improvement

3 minute read

Learning about template injection and enumeration in order to find nested subdomains. Day 6 open ups with a new kind of vulnerability and a recon technique that will improve your days as a pentester. We’re totally encouraging you to expand these topics even further.

Template Injection

From Sam (CoffeeJunkie), Template engine is a code that creates dynamic websites with other media automatically filling placeholders in the template when rendering it. The usage of place holders allow developers to separate application and business logic. Templates has other kind of benefits such as user input sanitization features features, simplified HTML generation, and easy maintenance. Template injection vulnerabilities occur when engines render user input without properly sanitizing it, sometimes leading to remote code execution.

There are two types of template injection which are server-side template injection and server-side template injection

Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI). Templates are programmed in certain programming languages where sometimes you have the chance to inject arbitrary code from that language. The possibility to inject arbitrary code will strongly depend on the security protection that the engine provides, as also the preventive measures.

As an example from the book: “The Python Jinja2 engine has allowed arbitrary file access and remote code execution, as has the Ruby ERB template engine that Rails uses by default. In contrast, Shopify’s Liquid Engine allows access to a limited number of Ruby methods in an attempt to prevent full remote code execution.” Peter Yaworski. “Real-World Bug Hunting.”

In order to test SSTI vulnerabilities, you must submit template expressions using an specific syntax for the engine in use. As an example PHP’s smarty uses four braces to denote expressions, also it uses different kind of symbols to denote expressions, therefore a simple way to test the vulnerability would be to send the following mathematical expression ``````. If the injection is successful, you’d have the chance to see the expression converted in 49 once the code is rendered. Something that will be strongly dependable is the type of software used to build the website, tools such as Wappalyzer and Built With are very useful at the time to look for the software.

Client-Side Template Injection (CSTI)

This kind of vulnerability occurs in the client template engines and are written in JavaScript. Popular client template engines include Google’s AngularJS and Facebook’s ReactJS. Because CSTI attacks are reflected in the user’s browser, it is not possible to achieve remote code execution. But, there is a great chance to achieve XSS, but it will strongly depend on the template and different ways to bypass preventive measures. As an example with ReactJS which does a good job preventing XSS, the attacker most look for JavaScript files which contain the function dangerouslySetInnerHTML where the attacker has the control input. Other example such as AngularJS v1.6 include a sandbox which limits access to JavaScript functions and protects agains XSS. If you want to confirm the angular version, opening up the developer console you can type Angular.version . If you’re curious about AngularJS escapes there are these resources.

  1. AngularJS Escape Bypass Collection
  2. JSFiddle

Write Ups and Explanations

**UBER ANGULARJS TEMPLATE INJECTION **

In order to test the vulnerability in AngularJS, the attacker used the following payload

# Decoded URL
https://developer.uber.com/docs/deep-linking?q=wrtz
# Encoded URL
https://developer.uber.com/docs/deep-linking?q=wrtz%7B%7B7*7%7D%7D

Once the website was rendered, the attacker was able to see that it was vulnerable because it rendered to wrtz49. After looking at the vulnerability, the attacker proceeds to look for sandbox escapes in order to achieve XSS with the following payload.

nmap scan

After you confirm if the website is using a server-side template, start trying simple payloads using the correct syntax depending the template engine, look for the rendered result, and if it is effective, look for an escape sandbox according the version of the template.

UBER FLASK JINJA2 TEMPLATE INJECTION

So the attacker changed his name profile to 7 which in the email of notification about the profile said that the attacker change his name to 7777777. Here the attacker realized that the site was vulnerable to Server-Side template injection. After the attacker realized the type of template engine that the site was using which was Flask Template Engine(Jinja2), he started to look for vulnerabilities and injections. The attacker proceeds to write the following payloads in python programming language which is the programming language that Jinja2 was using.

nmap scan

Recon With a Simple Script for Finding Nested Subdomains

Rajesh Ranjan finds himself curious about expanding his scope in order to get a better recon, therefore getting better bugs. Nested Subdomain: it is subdomain of a subdomain or also known as multi level sub domain.

Example

Suppose the corp.yahoo.com is subdomain of yahoo.com. It’s nested subdomain will be:

example1.corp.yahoo.com, example2.corp.yahoo.com

A Big shoutout to Nahamsec, Rajesh was watching one of his stream and got this small script.

for i in `cat target.txt`
do
        curl -s https://crt.sh/\?q\=\%.$i\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a all.txt
done

nmap scan

So this simple script will enumerate all the subdomain from crtsh and will save the output in all.txt file

Leave a comment