Category Archives: Uncategorized

Client Side Template Injection, huh?

I ran into this maybe two years ago and I didn’t even know it was a thing. I was actually trying to order some food (🍕) online and I noticed I could see the braces of a template being used.

I’m not sure there is a term for the braces being briefly exposed while a page is loading, but I’ve recently found out that VueJS has something to prevent this. I’m not too up to date with Vue, or Angular (in my case), so I’m a little out of my element.

Anyway, I saw the braces so I immediately tried some template injecting. It was odd to me because the page was IIS/aspx/dotnet, which usually isn’t a bastion of SSTI. And in my SSTI tests, Javascript functions like toUpperCase() were working, but other payloads that I thought may work did not work. At this point I was confused.

I eventually stumbled upon Client Side Template Injection. I kept messing around and finally was able to achieve XSS with the payload

{{$on.constructor('alert(1)')()}}

as seen here.

I notified the website management, and they did institute a fix. You can see the they only accepting valid alphanumeric characters at this point. Oddly, this fix works on some of their sites and on some of them it doesn’t. I don’t know what’s going on there.

See the following links for more information from people that know more than I do — Portswigger, HackTricks.

I’ve Never Heard of Nim

IDK where I have been, but I never heard of this language until today. So, what’s the first thing you do when you learn about a language? You write a directory enumeration script with it.

Please disregard my horrible code, inability to follow Nim standards and philosophies, and the general hackiness of this code.

import httpclient
import parseopt
import strutils
import system
    
var p = initOptParser()
var wordlist: string
var url: string

while true:
  p.next()
  case p.kind
  of cmdEnd: break
  of cmdShortOption, cmdLongOption:
    if p.key == "u":
      url = p.val
    if p.key == "w":
      wordlist = p.val
  of cmdArgument:
    echo ""

let contents = readFile(wordlist)
let words = contents.splitLines()

var final_url: string
var client = newHttpClient(timeout = 100)

for i in 0 ..< words.len:
    final_url = url & "/" & words[i]
    try:
        let response = client.request(final_url, httpMethod = HttpGet)
        let status_code = response.status.split(' ')[0]
        if status_code == "200":
            echo final_url
    except:
        echo ""

All this code does is take a url parameter and a wordlist parameter and makes http get requests to the url + wordlist entry – standard directory enumeration stuff. If the response code is 200, that url gets sent to stdout.

As time permits I’ll update this app. It’d be cool to have it much more feature complete like gobuster, wfuzz, et. al. For now, see the github respository for more information.

Free Bitcoin – Simple ‘Malware’ Analysis

I received a very enticing email promising free bitcoin from Ronald Green. No body. Just an attachment — “Free Bitcoin – 5385c.html”.

My first thoughts, before actually looking closely at the name or file, is that it may be related to CVE-2021-40444 – which is actively being exploited. Turns out it isn’t. But here is a quick rundown of the file.

What did I do first? I downloaded it and cat’d it, duh.

Okay, just a link, basically. I used the Node CLI to decode the Base 64 data. I’m using Node for no particular reason other than the link was JS. You could do this in bash, python, whatever language you want.

Now we have a link! Let’s see what that does. I fired up a VPC to curl this one.

No dice!

It turns out that namecheap was already on top of this.

Looks like InfoSecJack (legend) has already beaten me to it. Looks like it was simply a Elon Musk themed bitcoin scam. I was hoping for something a little more wild 🙁