tplmap
tplmap copied to clipboard
Published
20 hours ago •
epinna
epinna
Twig plugin blind injection exception - crash
I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'
The script crashed at Twig plugin blind injection.
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Twig plugin is testing rendering with tag '{{*}}'
[+] Twig plugin is testing blind injection
[!][tplmap] Exiting: 'bool' object has no attribute 'replace'
If the Twig blind template is excluded the injection works.
[+] Testing if GET parameter 'message' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '*'
[+] Velocity plugin is testing blind injection
[+] Slim plugin is testing rendering with tag '"#{*}"'
[+] Slim plugin is testing blind injection
[+] Erb plugin is testing rendering with tag '"#{*}"'
[+] Erb plugin has confirmed injection with tag '"#{*}"'
[+] Tplmap identified the following injection point:
GET parameter: message
Engine: Erb
Injection: "#{*}"
Context: text
OS: x86_64-linux-gnu
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, ruby code
I tested tplmap with the Lab: Basic server-side template injection: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
python tplmap.py -u 'https://your-lab-id.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock'The script crashed at Twig plugin blind injection.
[+] Tplmap 0.5 Automatic Server-Side Template Injection Detection and Exploitation Tool [+] Testing if GET parameter 'message' is injectable [+] Smarty plugin is testing rendering with tag '*' [+] Smarty plugin is testing blind injection [+] Mako plugin is testing rendering with tag '${*}' [+] Mako plugin is testing blind injection [+] Python plugin is testing rendering with tag 'str(*)' [+] Python plugin is testing blind injection [+] Tornado plugin is testing rendering with tag '{{*}}' [+] Tornado plugin is testing blind injection [+] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin is testing blind injection [+] Twig plugin is testing rendering with tag '{{*}}' [+] Twig plugin is testing blind injection [!][tplmap] Exiting: 'bool' object has no attribute 'replace'If the Twig blind template is excluded the injection works.
[+] Testing if GET parameter 'message' is injectable [+] Smarty plugin is testing rendering with tag '*' [+] Smarty plugin is testing blind injection [+] Mako plugin is testing rendering with tag '${*}' [+] Mako plugin is testing blind injection [+] Python plugin is testing rendering with tag 'str(*)' [+] Python plugin is testing blind injection [+] Tornado plugin is testing rendering with tag '{{*}}' [+] Tornado plugin is testing blind injection [+] Jinja2 plugin is testing rendering with tag '{{*}}' [+] Jinja2 plugin is testing blind injection [+] Freemarker plugin is testing rendering with tag '*' [+] Freemarker plugin is testing blind injection [+] Velocity plugin is testing rendering with tag '*' [+] Velocity plugin is testing blind injection [+] Slim plugin is testing rendering with tag '"#{*}"' [+] Slim plugin is testing blind injection [+] Erb plugin is testing rendering with tag '"#{*}"' [+] Erb plugin has confirmed injection with tag '"#{*}"' [+] Tplmap identified the following injection point: GET parameter: message Engine: Erb Injection: "#{*}" Context: text OS: x86_64-linux-gnu Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, ruby code
How do you exclude an engine. I could only find -e to include engines.
