Update for docker support + Added ssl/tls verification flag

.dockerignore

@@ -0,0 +1,24 @@
+__pycache__
+**/__pycache__
+.vscode
+Dockerfile
+*.pyc
+*.pyo
+*.pyd
+.Python
+env
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.log
+.git
+.gitignore
+.pytest_cache
+.travis.yml
+docker-envs
+burp_extension
+burp_extension.py
+tests

.gitignore

@@ -50,6 +50,20 @@ node_modules
 # Jython
 *.class
 
+# VS-code
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
 # Vim
 # swap
 .sw[a-p]

.vscode/launch.json

@@ -0,0 +1,16 @@
+{
+	// Use IntelliSense to learn about possible attributes.
+	// Hover to view descriptions of existing attributes.
+	// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+	"version": "0.2.0",
+	"configurations": [
+		{
+			"name": "Python Debugger: Current File with Arguments",
+			"type": "debugpy",
+			"request": "launch",
+			"program": "tplmap.py",
+			"console": "integratedTerminal",
+			"args": "-u http://localhost/?name=so -k"
+		}
+	]
+}

Dockerfile

@@ -0,0 +1,18 @@
+FROM python:3.9
+
+WORKDIR /app
+COPY . /app
+
+RUN useradd -ms /bin/bash user
+RUN chown -R user:user /app
+USER user
+
+RUN python -m pip install --upgrade pip
+RUN pip install --no-cache-dir -r requirements.txt 
+
+# Running the script when the container launches
+ENTRYPOINT ["python", "tplmap.py"]
+
+# Default cmd
+CMD ["-h"]
+

README.md

@@ -1,8 +1,6 @@
 Tplmap
 ======
 
-> This project is no longer maintained. I'm happy to merge new PRs as long they don't break the [test suite](https://github.com/epinna/tplmap/wiki/Run-the-test-suite).
-
 Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.
 
 The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.
@@ -98,7 +96,7 @@ Use `--os-shell` option to launch a pseudo-terminal on the target.
 
 ```
 $ ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
-[+] Tplmap 0.5
+[+] Tplmap 0.3
     Automatic Server-Side Template Injection Detection and Exploitation Tool
 
 [+] Run commands on the operating system.
@@ -110,14 +108,21 @@ root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 ```
+### Using docker
+You can use docker instead, if you encounter any issue with the script (mostly caused by python2 dependencies e.g yaml).
+```console
+$ docker build -t tplmap .
+$ docker run --rm tplmap:latest -h
+$ docker run --rm tplmap:latest -u 'http://www.target.com/page?name=jhon'
+```
 
 Supported template engines
 --------------------------
 
 Tplmap supports over 15 template engines, unsandboxed template engines and generic _eval()_-like injections.
 
-| Engine                 | Remote Command Execution |  Blind | Code evaluation | File read | File write |
-|------------------------|---------------|-------------------|-----------------|-----------|------------|
+| Template engine        | Remote Command Execution |  Blind | Code evaluation | File read | File write |
+|------------------------|-------|-------------------|-----------------|-----------|------------|
 | Mako                   | ✓ |  ✓                | Python          |  ✓        |  ✓         |
 | Jinja2                 | ✓ |  ✓                | Python          |  ✓        |  ✓         |
 | Python (code eval)     | ✓ |  ✓                | Python          |  ✓        |  ✓         |
@@ -134,10 +139,9 @@ Tplmap supports over 15 template engines, unsandboxed template engines and gener
 | ERB                    | ✓ |  ✓                | Ruby            |  ✓        |  ✓         |
 | Smarty (unsecured)     | ✓ |  ✓                | PHP             |  ✓        |  ✓         |
 | PHP (code eval)        | ✓ |  ✓                | PHP             |  ✓        |  ✓         |
-| Twig (<=1.19)          | ✓ |  ✓                | PHP             |  ✓        |  ✓         |
-| Freemarker             | ✓ |  ✓                | Java            |  ✓        |  ✓         |
-| Velocity               | ✓ |  ✓                | Java            |  ✓        |  ✓         |
-| Twig (>1.19)           | × | ×                 | ×               | ×         | ×          |
+| Freemarker             | ✓ |  ✓                | ×               |  ✓        |  ✓         |
+| Velocity               | ✓ |  ✓                | ×               |  ✓        |  ✓         |
+| Twig                   | × | ×                 | ×               | ×         | ×          |
 | Smarty (secured)       | × | ×                 | ×               | ×         | ×          |
 | Dust (> [email protected]) | × | ×          | ×               | ×         | ×          |
 

core/channel.py

@@ -28,6 +28,7 @@ def __init__(self, args):
 
         self.injs = []
         self.inj_idx = 0
+        self.ssl_verf = self.args.get('ssl_verf')
 
         proxy = self.args.get('proxy')
         if proxy:
@@ -201,6 +202,7 @@ def req(self, injection):
         post_params = deepcopy(self.post_params)
         header_params = deepcopy(self.header_params)
         url_params = self.base_url
+        ssl_verfication = self.ssl_verf
 
         # Pick current injection by index
         inj = deepcopy(self.injs[self.inj_idx])
@@ -298,9 +300,10 @@ def req(self, injection):
                 data = post_params,
                 headers = header_params,
                 proxies = self.proxies,
-                # By default, SSL check is skipped.
-                # TODO: add a -k curl-like option to set this.
-                verify = False
+                # By default, SSL check is not skipped.
+                # WARNING : Using this option makes the transfer insecure.
+                # TODO: add a -k curl-like option to set this. (Done)
+                verify = ssl_verfication
                 ).text
         except requests.exceptions.ConnectionError as e:
             if e and e[0] and e[0][0] == 'Connection aborted.':

core/checks.py

@@ -17,11 +17,9 @@
 from plugins.languages.php import Php
 from plugins.languages.python import Python
 from plugins.languages.ruby import Ruby
-from core.channel import Channel
 from utils.loggers import log
 from core.clis import Shell, MultilineShell
 from core.tcpserver import TcpServer
-import time
 import telnetlib
 import sys
 

requirements.txt

@@ -4,4 +4,3 @@ chardet==3.0.4
 idna==2.8
 requests==2.22.0
 urllib3==1.24.1
-wsgiref==0.1.2

tests/basetest.py

@@ -1,7 +1,5 @@
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from core.channel import Channel

tests/test_channel.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.mako import Mako

tests/test_java_freemarker.py

@@ -1,5 +1,4 @@
 import unittest
-import requests
 import os
 import sys
 

tests/test_java_velocity.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.velocity import Velocity

tests/test_node_dot.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.dot import Dot

tests/test_node_dust.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.dust import Dust

tests/test_node_ejs.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.ejs import Ejs

tests/test_node_javascript.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.languages.javascript import Javascript

tests/test_node_marko.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.marko import Marko

tests/test_node_nunjucks.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.nunjucks import Nunjucks

tests/test_node_pug.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.pug import Pug

tests/test_php_php.py

@@ -1,13 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.languages.php import Php
-from core.channel import Channel
-from core.checks import detect_template_injection
 from basetest import BaseTest, EXTRA_DOWNLOAD
 
 

tests/test_php_smarty_secured.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.smarty import Smarty

tests/test_php_smarty_unsecured.py

@@ -1,8 +1,6 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.smarty import Smarty

tests/test_php_twig_secured.py

@@ -1,12 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.twig import Twig
-from core.channel import Channel
 from basetest import BaseTest
 
 class TwigSecuredTest(unittest.TestCase, BaseTest):

tests/test_php_twig_unsecured.py

@@ -1,12 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.engines.twig import Twig
-from core.channel import Channel
 from basetest import BaseTest
 
 class TwigUnsecuredTest(unittest.TestCase, BaseTest):

tests/test_py_jinja2.py

@@ -1,14 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(10, os.path.join(sys.path[0], '..'))
 from plugins.engines.jinja2 import Jinja2
-from core.channel import Channel
-from utils import rand
-from utils import strings
 from basetest import BaseTest
 
 class Jinja2Test(unittest.TestCase, BaseTest):

tests/test_py_mako.py

@@ -1,14 +1,10 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(10, os.path.join(sys.path[0], '..'))
 from plugins.engines.mako import Mako
 from core.channel import Channel
-from utils import rand
-from utils import strings
 from basetest import BaseTest
 
 class MakoTest(unittest.TestCase, BaseTest):

tests/test_py_python.py

@@ -1,13 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 from plugins.languages.python import Python
-from core.channel import Channel
-from core.checks import detect_template_injection
 from basetest import BaseTest
 
 

tests/test_py_tornado.py

@@ -1,14 +1,9 @@
 import unittest
-import requests
 import os
 import sys
-import random
 
 sys.path.insert(10, os.path.join(sys.path[0], '..'))
 from plugins.engines.tornado import Tornado
-from core.channel import Channel
-from utils import rand
-from utils import strings
 from basetest import BaseTest
 
 class TornadoTest(unittest.TestCase, BaseTest):