coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#2983] No subject

Browse Source
This commit is contained in:
CPol 2022-02-03 00:17:18 +00:00 committed by gitbook-bot
parent 5d0f41755d
commit 9641f5046e
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
pentesting-web/ssti-server-side-template-injection/README.md
View File

@ -810,15 +810,40 @@ Even if it's perl it uses tags like ERB in Ruby.
<% perl code %>
```
### Method Confusion in GO
### SSTI in GO
It's possible to **call methods of the object** that is passed to the context of the template.\
For example if an object has the method `System` to execute a command or the method `File` to read a file you could achieve **RCE** o **read arbitrary files** with:
The way to confirm that the template engine used in the backed is Go you can use these payloads:
* `{{.System "whoami"}}`
* `{{.File "/etc/passwd}}`
* `{{ . }}` = data struct being passed as input to the template
* If the passed data is an object that contains the attribute Password for example, the previous payload would leak it, but you could also do: `{{ .Password }}`
* `{{printf "%s" "ssti" }}` = should output the string ssti in the response
* `{{html "ssti"}}`, `{{js "ssti"}}` = These are a few other payloads which should output the string "ssti" without the trailing words "js" or "html". You can refer to more keywords in the engine [here](https://golang.org/pkg/text/template).
More information in the original research [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
#### XSS exploitation
If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{"<script>alert(1)</script>"}}` **** --> `&lt;script&gt;alert(1)&lt;/script&gt;`
However, Go allows to **DEFINE** a whole **template** and then **later call it**. The payload will be something like:\
`{{define "T1"}}<script>alert(1)</script>{{end}} {{template "T1"}}`
#### RCE Exploitation
The documentation for both the html/template module can be found [here](https://golang.org/pkg/html/template/), and the documentation for the text/template module can be found [here](https://golang.org/pkg/text/template/), and yes, they do vary, a lot. For example, in **text/templat**e, you can **directly call any public function with the “call” value**, this however, is not the case with html/template.
If you want to find a RCE in go via SSTI, you should know that as you can access the given object to the template with `{{ . }}`, you can also **call the objects methods**. So, imagine that the **passed object has a method called System** that executes the given command, you could abuse it with: `{{ .System("ls") }}`\
Therefore, you will probably **need the source code**. A potential source code for something like that will look like:
```go
func (p Person) Secret (test string) string {
out, _ := exec.Command(test).CombinedOutput()
return string(out)
}
```
#### More information&#x20;
* [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html)
* [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
### More Exploits