Advanced Class: Server Injection and Exploitation

Date	24. Oktober, 2024
Hosted by	Milan @cryp70m4n
Location	Reykjavik University
Knowledge Level	Advanced
MATERIAL	Link to Slides

TOPICS

Topic 1: Server-Side Template Injection (SSTI)

Topic 2: Real-world Electron Exploitation

Topic 3: Binary Exploitation: Beating NX using ret2libc & ROP

[CHAPTER 1]

SSTI -> To execute SSTI we first need to be familiar with the technology used by our target.

By looking into the app, we find that it uses Python Flask, and by looking at its backend, we find that Flask uses Jinja2 to render templates.

Looking at how it works, we see that the Python invokes its built-ins using the following payload:

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

Think of it as traversing through directories in your system, but using "." instead of "/" and instead of being in a directory, you are within Python's globals and builtins.

This challenge can be found in files and all detailed explanations can be found in slides.

[CHAPTER 2]

So based on previous the class (link to class one) we can use our old payload.

<img src="x" onerror="alert('XSS in Electron!');">

This payload still works, but it does not execute shell commands since "require" is not a keyword.

This is due to nodeIntegration being off and ContextIsolation being on.

Using asar to unpack the application, we can look through the source code for some function to call that allows us to use something we can manipulate, such as shell commands.

After looking through the code we end up with following payload:

<img src="x" onerror="window.api.invoke('REexecute', 'ls');">

Details can be found in slides.