-
Notifications
You must be signed in to change notification settings - Fork 680
Run the test suite
Tplmap comes along with a suit of scripts to help running the tool against the template engines supported by the exploitation tools. The testing scripts below raise vulnerable web servers which can be used to run automatic tests and test the tool manually as well.
$ cd ./tests/
$ ls run_*.sh
run_channel_test.sh
run_java_tests.sh
run_node_tests.sh
run_php_tests.sh
run_python_tests.sh
Run the script related to the selected vulnerable environment. See below the execution of run_node_tests.sh
to run a nodejs web service running endpoints vulnerable to SSTI for Jade and Nunjuck template engine.
$ ./run_node_tests.sh
Exposed testing APIs:
http://localhost:15004/jade?inj=*
http://localhost:15004/blind/jade?inj=*
http://localhost:15004/nunjucks?inj=*
http://localhost:15004/blind/nunjucks?inj=*
Web server standard output and error are redirected to file
/tmp/tmp.2BnmKv9b
Open a new tab and run Tplmap against the vulnerable endpoint.
$ ./tplmap.py -u 'http://localhost:15004/jade?inj=*'
[+] Tplmap 0.1b
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Found placeholder in GET parameter 'inj'
...
[+] Jade plugin is testing reflection on text context with tag \n= *\n
[+] Jade plugin has confirmed injection with tag '\n= *\n'
[+] Tplmap identified the following injection point:
Engine: Jade
Template: \n= *\n
Context: text
OS: darwin
Capabilities:
Code evaluation: yes, javascript code
OS command execution: yes
File write: yes
File read: yes
[+] Rerun tplmap providing one of the following options:
--os-cmd or --os-shell to access the underlying operating system
--upload LOCAL REMOTE to upload files to the server
--download REMOTE LOCAL to download remote files
Run the suggested options to exploit the vulnerable endpoint. Use the other scripts to raise other environments for Java, Python, and PHP.
The automatic test can be run using the same scripts with the --test
options. Please note the dependencies automatic installation can print garbage text. The result of the automated tests can be seen by the the test summary printed by Python unittest as in the example below.
$ ./run_php_tests.sh --test
...
...
...
...
----------------------------------------------------------------------
Ran 12 tests in 18.206s
OK
$
The testing scripts install libraries and dependencies in the folder tests/env_*_tests/lib/
. If any test script stops working just delete the lib/
content and start over. Run rm -r tests/env_*_tests/lib/*
to reset all the testing environments.