Learning about template injection and enumeration in order to find nested subdomains. Day 6 open ups with a new kind of vulnerability and a recon technique that will improve your days as a pentester. We’re totally encouraging you to expand these topics even further.
From Sam (CoffeeJunkie), Template engine is a code that creates dynamic websites with other media automatically filling placeholders in the template when rendering it. The usage of place holders allow developers to separate application and business logic. Templates has other kind of benefits such as user input sanitization features features, simplified HTML generation, and easy maintenance. Template injection vulnerabilities occur when engines render user input without properly sanitizing it, sometimes leading to remote code execution.
There are two types of template injection which are server-side template injection and server-side template injection
Server-Side Template Injection (SSTI)
Server-Side Template Injection (SSTI). Templates are programmed in certain programming languages where sometimes you have the chance to inject arbitrary code from that language. The possibility to inject arbitrary code will strongly depend on the security protection that the engine provides, as also the preventive measures.
As an example from the book: “The Python Jinja2 engine has allowed arbitrary file access and remote code execution, as has the Ruby ERB template engine that Rails uses by default. In contrast, Shopify’s Liquid Engine allows access to a limited number of Ruby methods in an attempt to prevent full remote code execution.” Peter Yaworski. “Real-World Bug Hunting.”
In order to test SSTI vulnerabilities, you must submit template expressions using an specific syntax for the engine in use. As an example PHP’s smarty uses four braces to denote expressions, also it uses different kind of symbols to denote expressions, therefore a simple way to test the vulnerability would be to send the following mathematical expression ``````. If the injection is successful, you’d have the chance to see the expression converted in
49 once the code is rendered. Something that will be strongly dependable is the type of software used to build the website, tools such as Wappalyzer and Built With are very useful at the time to look for the software.
Client-Side Template Injection (CSTI)
dangerouslySetInnerHTML where the attacker has the control input. Other example such as
Angular.version . If you’re curious about AngularJS escapes there are these resources.
Write Ups and Explanations
In order to test the vulnerability in AngularJS, the attacker used the following payload
# Decoded URL https://developer.uber.com/docs/deep-linking?q=wrtz # Encoded URL https://developer.uber.com/docs/deep-linking?q=wrtz%7B%7B7*7%7D%7D
Once the website was rendered, the attacker was able to see that it was vulnerable because it rendered to
wrtz49. After looking at the vulnerability, the attacker proceeds to look for sandbox escapes in order to achieve XSS with the following payload.
After you confirm if the website is using a server-side template, start trying simple payloads using the correct syntax depending the template engine, look for the rendered result, and if it is effective, look for an escape sandbox according the version of the template.
So the attacker changed his name profile to
7 which in the email of notification about the profile said that the attacker change his name to
7777777. Here the attacker realized that the site was vulnerable to Server-Side template injection. After the attacker realized the type of template engine that the site was using which was Flask Template Engine(Jinja2), he started to look for vulnerabilities and injections. The attacker proceeds to write the following payloads in python programming language which is the programming language that Jinja2 was using.
Recon With a Simple Script for Finding Nested Subdomains
Rajesh Ranjan finds himself curious about expanding his scope in order to get a better recon, therefore getting better bugs. Nested Subdomain: it is subdomain of a subdomain or also known as multi level sub domain.
Suppose the corp.yahoo.com is subdomain of yahoo.com. It’s nested subdomain will be:
A Big shoutout to Nahamsec, Rajesh was watching one of his stream and got this small script.
for i in `cat target.txt` do curl -s https://crt.sh/\?q\=\%.$i\&output\=json | jq -r '..name_value' | sed 's/\*\.//g' | sort -u | tee -a all.txt done
So this simple script will enumerate all the subdomain from crtsh and will save the output in all.txt file