Twig template injection #401
Conversation
Pull Request Test Coverage Report for Build 1411
💛 - Coveralls |
| from tanner.utils import patterns | ||
|
|
||
|
|
||
| class PHPObjectInjection: |
| self.emulator_enabled['template_injection'] else None | ||
| self.emulator_enabled['template_injection'] else None, | ||
| 'twig_template_injection': twig_template_injection.TwigTemplateInjection(loop) if | ||
| self.emulator_enabled['twig_template_injection'] else None | ||
| } | ||
|
|
||
| self.get_emulators = ['sqli', 'rfi', 'lfi', 'xss', 'php_code_injection', 'php_object_injection', |
There was a problem hiding this comment.
You need to add emulator here in order to enable it
There was a problem hiding this comment.
tanner/tanner/emulators/base.py
Line 114 in 40e2357
|
@mzfr And what is the pattern to catch this type of attack? |
|
@afeena This kind of injection can be detected by the same regex used for tornado template injection. That is why I didn't added any new pattern. |
|
@mzfr Are you able to see the results now? |
|
@rjt-gupta no, still having the same problem i.e no error, no result. |
|
|
||
| detection = None | ||
| if patterns.TEMPLATE_INJECTION_TORNADO.match(value): | ||
| detection = dict(name="twig_template_injection", order=3) |
There was a problem hiding this comment.
I tested with super simple string /foobar?b={{3*%272%27}} There are 2 possible detections:
{'name': 'template_injection', 'order': 4}
{'name': 'twig_template_injection', 'order': 3}
Since template_injection is order 4, tanner chooses it and execute.
Any ideas how to distinguish? @mzfr @rjt-gupta
There was a problem hiding this comment.
For twig this case should give 6 and for tornado 222. (right?)
There was a problem hiding this comment.
we need something that distinguishes these two..
There was a problem hiding this comment.
yeah the regex is almost similar so it' hard to distinguish.
Also afeena can you please tell me how did you tested it? I mean the setup I want to know what I am doing wrong.
There was a problem hiding this comment.
@mzfr scan works perfectly fine, if you print possible detection you can see it. the only problem in the signature of the handle function.
| detection = dict(name="twig_template_injection", order=3) | ||
| return detection | ||
|
|
||
| async def handle(self, attack_params): |
There was a problem hiding this comment.
session=None
the signature of the function is wrong. base emulator calls every handle with session
emulation_result = await self.emulators[detection['name']].handle(attack_params[detection['name']], session)
that is why function was not called properly, works for me now
| return dict(value=result["stdout"], page=False) | ||
| async def handle(self, attack_params, session=None): | ||
| attack_params[0]['value'] = unquote(attack_params[0]['value']) | ||
| result = await self.get_injection_result(attack_params[0]['value']) |
There was a problem hiding this comment.
tornado is getting its results from the custom docker image, and here its phpox. the returned format is different..
There was a problem hiding this comment.
@rjt-gupta do you have an example of the format?
Add twig template
Fix for #381