added first two nfos

1 files changed, 92 insertions, 0 deletions

diff --git a/ssti-discovery-in-python.nfo b/ssti-discovery-in-python.nfo
new file mode 100644
index 0000000..bbea9cc
--- /dev/null
+++ b/ssti-discovery-in-python.nfo
@@ -0,0 +1,92 @@
+.:: SSTI Discovery in Python ::.
+
+Server-Side Template Injection (SSTI) is a critical vulnerability in web
+applications that allows attackers to inject malicious template code,
+potentially leading to remote code execution (RCE). This research presents a
+Python-based tool designed to identify and analyze SSTI vulnerabilities in
+Jinja2 templates, a popular templating engine. By dynamically importing modules
+and enumerating their attributes, the tool discovers potential RCE vectors,
+enabling security researchers to assess and mitigate SSTI risks effectively.
+
+[ Introduction ]
+
+The tool leverages Python's importlib to dynamically import user-specified
+modules and a custom enumeration function to inspect their attributes, globals,
+and subclasses. By simulating Flask and Django contexts, it identifies paths to
+potentially dangerous objects like os.system or subprocess.Popen, which are
+common SSTI exploit primitives.
+
+Note that False Positives are common and most vectors should be tested manually.
+Currently, the tool works by potentially dangerous functions, modules and
+keywords.
+
+The tool code repository is located at https://cgit.heqnx.com/ssti-discovery and
+can be cloned easily with git clone https://cgit.heqnx.com/ssti-discovery.
+
+[ Tool Usage ]
+
+$ python3 ssti-discovery.py -h
+usage: ssti-discovery.py [-h] --module MODULE [--framework {jinja2,django}] [--output OUTPUT]
+
+SSTI RCE Vector Discovery Tool
+
+options:
+  -h, --help            show this help message and exit
+  --module MODULE       Module to import (e.g., os, numpy, myutils)
+  --framework {jinja2,django}
+                        Template framework to simulate (jinja2 or django)
+  --output OUTPUT       Output file for results (default: console)
+
+[ Tool Output Example ]
+
+$ python3 ssti-discovery.py --module numpy --framework jinja2
+{
+  "module": "numpy",
+  "framework": "jinja2",
+  "rce_vectors": [
+    {
+      "path": "dict.__subclasses__.CallbackDict",
+      "type": "potentially dangerous class, investigate manually",
+      "details": "access to CallbackDict"
+    },
+    {
+      "path": "lipsum.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "joiner.__call__",
+      "type": "potentially dangerous function, investigate manually",
+      "details": "access to '__call__' function"
+    },
+    {
+      "path": "joiner.__call__.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "namespace.__getattribute__.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "request._load_form_data",
+      "type": "potentially dangerous function, investigate manually",
+      "details": "access to '_load_form_data' function"
+    }
+  ]
+}
+
+[ Payload Testing ]
+
+The ssti-app.py is a Python-based tool built with Flask and Jinja2 to
+help in identifying and testing Server-Side Template Injection payloads.
+This tool provides a controlled environment to execute and analyze Jinja2
+template payloads, enabling users to explore potential remote code execution
+(RCE) vectors in web applications.
+
+The tool accepts command-line arguments to import Python modules (e.g., os,
+subprocess) into the Jinja2 environment, simulating real-world scenarios where
+sensitive modules might be exposed. The Flask webapp runs on localhost on port
+:5000. A basic index.html interface (served at /) allows for easy interaction,
+making it accessible for both manual and automated testing.