GSOC: Adding support for twig template engine

[rjt-gupta]

Aim - Add support for twig template engine (PHP) for template injection emulator.

How to do?

• install twig using composer (https://twig.symfony.com/doc/2.x/installation.html)
• First build a suitable vulnerable code template in which the payload will be injected and then execute using phpox.

The template I had created was -

<?php 

require '/tmp/vendor/twig/twig/lib/Twig/Autoloader.php';
require '/tmp/vendor/twig/twig/lib/Twig/Extension/StringLoader.php';

Twig_Autoloader::register();
$loader = new Twig_Loader_String();
$twig = new Twig_Environment($loader);
$twig->addExtension(new \Twig\Extension\StringLoaderExtension());
							
 $payload = "<<payload goes here>>";
 $result = $twig->render($payload);
echo $result;
?>

This template was working with basic payloads but not fully working with the complex ones (was only working inside phpox not with tanner)

• You can create your own template or can make this one work.

• Test payloads -

1. Basic payload: {{3*'2'}} -> 6 (only twig specific injection)
2. Some complex ones like - {{_self.env.registerUndefinedFilterCallback('shell_exec')}}{{_self.env.getFilter('id')}} or others capable of executing system commands.

• The emulator structure will be same as other ones (php object injection).
• Create a regex also for scanning.
• write tests!

I think this task shouldn't take long with all this information. Feel free to ping us on slack or here for any queries :)

[glaslos]

Can you provide some more information on how the request looks like?
Maybe a PCAP from a real, vulnerable system?
Feel free to change the title for something more specific. I think it's a very good proposal for a new vulnerability type.

[rjt-gupta]

Initially, I was trying to test the template with major payloads using postman. I also think adding this support would be very cool.

I will try to capture the pcap asap!