Skip to content

Twig template injection #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mzfr wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Twig template injection #401

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3dcf658
Update Dockerfile
afeena Jun 10, 2020
3fe44eb
add support for twig injection template
Aug 22, 2020
f01c7f5
update the config template and add the emulator option to base
Aug 22, 2020
70bcff2
Add emulator in GET and POST
Aug 24, 2020
1bafbf6
handle twig injection the same way it has been handled for tornado in…
Sep 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 4 additions & 15 deletions tanner/emulators/twig_template_injection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,18 +60,7 @@ def scan(self, value):
detection = dict(name="twig_template_injection", order=3)
Copy link
Collaborator

@afeena afeena Aug 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested with super simple string /foobar?b={{3*%272%27}} There are 2 possible detections:

{'name': 'template_injection', 'order': 4}
{'name': 'twig_template_injection', 'order': 3}

Since template_injection is order 4, tanner chooses it and execute.

Any ideas how to distinguish? @mzfr @rjt-gupta

Copy link
Collaborator

@rjt-gupta rjt-gupta Sep 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For twig this case should give 6 and for tornado 222. (right?)

Copy link
Collaborator

@rjt-gupta rjt-gupta Sep 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need something that distinguishes these two..

Copy link
Collaborator Author

@mzfr mzfr Sep 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah the regex is almost similar so it' hard to distinguish.

Also afeena can you please tell me how did you tested it? I mean the setup I want to know what I am doing wrong.

Copy link
Collaborator

@afeena afeena Sep 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mzfr scan works perfectly fine, if you print possible detection you can see it. the only problem in the signature of the handle function.

return detection

async def handle(self, attack_params):
"""
Handler of emulator
:param attack_params (list): contains dicts as elements with id and value (payload from attacker) as keys
:return: (dict): value (result of emulator), page (if set to true the payload will be injected to index.html
itself) as keys.
"""

result = await self.get_injection_result(attack_params[0]["value"])
if not result or "stdout" not in result:
self.logger.exception(
"Error while getting the injection results from php sandbox.."
)
return dict(status_code=504)
return dict(value=result["stdout"], page=False)
async def handle(self, attack_params, session=None):
attack_params[0]['value'] = unquote(attack_params[0]['value'])
result = await self.get_injection_result(attack_params[0]['value'])
Copy link
Collaborator

@rjt-gupta rjt-gupta Sep 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tornado is getting its results from the custom docker image, and here its phpox. the returned format is different..

Copy link
Collaborator Author

@mzfr mzfr Oct 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rjt-gupta do you have an example of the format?

return result