From ba87953a08369cbc6d32ea62b191ac9a71dba6d9 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Sun, 13 Sep 2020 09:33:41 +0200 Subject: [PATCH 1/4] Add expression for Velocity engine --- Fuzzing/template-engines-expression.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/Fuzzing/template-engines-expression.txt b/Fuzzing/template-engines-expression.txt index 9d6a38c..0d42068 100644 --- a/Fuzzing/template-engines-expression.txt +++ b/Fuzzing/template-engines-expression.txt @@ -7,3 +7,4 @@ ${42*42} <%=42*42 %> {{=42*42}} {^xyzm42}1764{/xyzm42} +${donotexists|42*42} From 234dfabf728bf5a320957b70fb2b6b333d3bea21 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Sun, 13 Sep 2020 11:04:15 +0200 Subject: [PATCH 2/4] Add an expression using expression inlining for Thymeleaf See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved --- Fuzzing/template-engines-expression.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/Fuzzing/template-engines-expression.txt b/Fuzzing/template-engines-expression.txt index 0d42068..dd4b9cc 100644 --- a/Fuzzing/template-engines-expression.txt +++ b/Fuzzing/template-engines-expression.txt @@ -8,3 +8,4 @@ ${42*42} {{=42*42}} {^xyzm42}1764{/xyzm42} ${donotexists|42*42} +[[${42*42}]] From 1c2fb1127859ce0bf82b38cc2eb2e8852525c4f3 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Mon, 14 Sep 2020 14:28:12 +0200 Subject: [PATCH 3/4] Add file with special vars used by template engines The objective is to identify the engine once an expression evaluation pattern was identified. --- Fuzzing/template-engines-special-vars.txt | 79 +++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 Fuzzing/template-engines-special-vars.txt diff --git a/Fuzzing/template-engines-special-vars.txt b/Fuzzing/template-engines-special-vars.txt new file mode 100644 index 0000000..c95f608 --- /dev/null +++ b/Fuzzing/template-engines-special-vars.txt @@ -0,0 +1,79 @@ +# !!!WILL BE PUBLISHED VIA A PR TO SECLISTS REPO WHEN FINISHED!!! +# The objective of this dictionary is to help to discover the template engine used +# once a evaluation of a template expression was detected via the following dictionary: +# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt +# Special variables are grouped by template engine in order to facilitate the identification. +# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example. +# +# Indicate to your fuzzer to ignore a line starting with: "# " (space is important) +# You can also filter the dictionary before to use via the command: grep -v "# " > dict.txt +# +# Sources: +# https://portswigger.net/research/server-side-template-injection +# https://github.com/epinna/tplmap +# Custom personal labs +# +# GENERIC: To cause an error and perhaps get technical information +1/0 +# FREEMARKER (JAVA) +# https://freemarker.apache.org/docs/ref_specvar.html +.version +.current_template_name +.locale_object +# JINJA2 (PYTHON) +# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement +# https://stackoverflow.com/a/40346872/451455 +self._TemplateReference__context +# DJANGO (PYTHON) +# https://docs.djangoproject.com/en/3.1/ref/settings/ +settings +settings.DEBUG +settings.DATABASES +settings.SECRET_KEY +# PUG (NODEJS) +# https://pugjs.org +# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties +# Self object is available if the "self" options is set to true +self +# Payload below are more NodeJS related +locals +global +# ERB (RUBY) +# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html +ERB.version() +# TORNADO (PYTHON) +# https://www.tornadoweb.org/en/stable/template.html +# Presence of variables with a name starting with "_tt_" indicate usage of Tornado +locals() +globals() +# TWIG (PHP) +# https://twig.symfony.com/doc/3.x/ +_self +_self.getTemplateName().__toString +_context +_context|length +_context|keys|first +constant('Twig_Environment::VERSION') +constant('Twig_Environment::VERSION_ID') +constant('Twig_Environment::EXTRA_VERSION') +# VELOCITY (JAVA) +# http://velocity.apache.org/tools/devel/generic.html +$context.keys +$context.TOOLS_VERSION +$field.in("org.apache.velocity.runtime.VelocityEngineVersion") +$field.in("org.apache.velocity.runtime.RuntimeConstants") +# THYMELEAF (JAVA) +# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables +# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info +#execInfo +#execInfo.templateStack +#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null) +execInfo +execInfo.templateStack +execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null) +# SMARTY (PHP) +# https://www.smarty.net/docs/en/language.syntax.variables.tpl +# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config +$smarty.version +$smarty.config +$smarty.template From 1361ac96c1ec3280d319f8e9e65f6d102cbff566 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Mon, 14 Sep 2020 14:30:00 +0200 Subject: [PATCH 4/4] Fix typos --- Fuzzing/template-engines-special-vars.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Fuzzing/template-engines-special-vars.txt b/Fuzzing/template-engines-special-vars.txt index c95f608..56e7db2 100644 --- a/Fuzzing/template-engines-special-vars.txt +++ b/Fuzzing/template-engines-special-vars.txt @@ -1,4 +1,3 @@ -# !!!WILL BE PUBLISHED VIA A PR TO SECLISTS REPO WHEN FINISHED!!! # The objective of this dictionary is to help to discover the template engine used # once a evaluation of a template expression was detected via the following dictionary: # https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt @@ -6,7 +5,7 @@ # Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example. # # Indicate to your fuzzer to ignore a line starting with: "# " (space is important) -# You can also filter the dictionary before to use via the command: grep -v "# " > dict.txt +# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt # # Sources: # https://portswigger.net/research/server-side-template-injection