Skip to content

Run the test suite

Jump to bottom
Emilio edited this page Aug 12, 2016 · 4 revisions

Tplmap comes along with a suit of scripts to help running the tool against the template engines supported by the exploitation tools. The testing scripts below raise vulnerable web servers which can be used to run automatic tests and test the tool manually as well.

$ cd ./tests/
$ ls run_*.sh
run_channel_test.sh 
run_java_tests.sh   
run_node_tests.sh   
run_php_tests.sh    
run_python_tests.sh

Manual testing

Run the script related to the selected vulnerable environment. See below the execution of run_node_tests.sh to run a nodejs web service running endpoints vulnerable to SSTI for Jade and Nunjuck template engine.

$ ./run_node_tests.sh
Exposed testing APIs:

http://localhost:15004/jade?inj=*
http://localhost:15004/blind/jade?inj=*
http://localhost:15004/nunjucks?inj=*
http://localhost:15004/blind/nunjucks?inj=*

Web server standard output and error are redirected to file
/tmp/tmp.2BnmKv9b

Open a new tab and run Tplmap against the vulnerable endpoint.

$ ./tplmap.py -u 'http://localhost:15004/jade?inj=*'
[+] Tplmap 0.1b
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Found placeholder in GET parameter 'inj'
...
[+] Jade plugin is testing reflection on text context with tag \n= *\n
[+] Jade plugin has confirmed injection with tag '\n= *\n'
[+] Tplmap identified the following injection point:

  Engine: Jade
  Template: \n= *\n
  Context: text
  OS: darwin
  Capabilities:
    Code evaluation: yes, javascript code
    OS command execution: yes
    File write: yes
    File read: yes

[+] Rerun tplmap providing one of the following options:
    --os-cmd or --os-shell to access the underlying operating system
    --upload LOCAL REMOTE to upload files to the server
    --download REMOTE LOCAL to download remote files

Run the suggested options to exploit the vulnerable endpoint. Use the other scripts to raise other environments for Java, Python, and PHP.

Automatic testing

The automatic test can be run using the same scripts with the --test options. Please note the dependencies automatic installation can print garbage text. The result of the automated tests can be seen by the the test summary printed by Python unittest as in the example below.

$ ./run_php_tests.sh --test
...
...
...
...
----------------------------------------------------------------------
Ran 12 tests in 18.206s

OK
$

The testing scripts install libraries and dependencies in the folder tests/env_*_tests/lib/. If any test script stops working just delete the lib/ content and start over. Run rm -r tests/env_*_tests/lib/* to reset all the testing environments.

Clone this wiki locally