Template Injection Emulator

[rjt-gupta]

Engines Supported:

• Mako
• Tornado

All of them are detected by using separate regex and have separate get_injection methods.

[rjt-gupta]

We need to fix the travis build first.

[rnehra01]

Overall it looks pretty limited to me. I could get to work simple payloads like {{7*7}} which doesn't have serious impacts. Have you thought about complex payloads that can have high severity like reading local files, configs etc. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

[rjt-gupta]

So, payloads running commands or reading /etc/passwd can be done easily for mako, tornado template engines. For jinja2 I think a simple detection would work as its often detected using {{7*7}} type payloads.

Do you have something in mind for jinja2 engine?

[rjt-gupta]

So, the twig engine is working nicely along with from snare side as well.
To run the emulator install composer then install twig using composer - composer require "twig/twig:^2.0" from /tanner directory.

It will create a folder vendor/ with all the twig files. autoload.php etc

Input format - ?a={{7*"7"}}
Output should contain 49 which is twig engine specific.

[rjt-gupta]

Also, maybe we can include this vendor/ files as a part of project then user won't have to worry about anything. Is this feasible?

[rnehra01]

@rjt-gupta What payloads are working for this emulator?

[rjt-gupta]

Engines - Mako, Tornado are working using docker and a custom image(base image - alphine).

Working complex payloads -

Mako - <%\nimport os\nx=os.uname()\n%>\n${x}
Tornado - {%import os%}{{os.uname()}}

(run docker-compose build first)

[coveralls]

Pull Request Test Coverage Report for Build 1067

• 69 of 99 (69.7%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.4%) to 76.585%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
tanner/utils/docker_helper.py	24	54	44.44%

Totals
Change from base Build 1066:	-0.4%
Covered Lines:	1377
Relevant Lines:	1798

---

💛 - Coveralls

[rjt-gupta]

Ready.

[rnehra01]

It gives me b'49' for {{7*7}}. Can you remove the b and quotes?

[rjt-gupta]

It gives me b'49' for {{7*7}}. Can you remove the b and quotes?

I am decoding the output already and apparently "b'49'" as a whole is a string, dont know why it is getting encoded twice.

So, i'll just strip this to remove b''.

[rjt-gupta]

Updated docker_helper to latest upgrade, updated lfi, cmd_exec, template_injection emulators also.

Added tests for this emulator.