Try   HackMD

hello hackers and researchers decide to share with you simple server side template injection walkthrough from port swigger, actually the labs we simple and straight forward

What is server side template injection?
SSTI is when an someone is able to inject malicous template syntax against a template engine which is then executed on the server side.

Example of template engines are like tonado,ERB,jinja and so many others

challenge 1

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Description

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Solution

This lab wants us to exploit a ruby template engine and in order to solve this lab we need to delete a fila name(morale.txt).

Now start the lab as how it instruct you.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

N/B: in order to exploit SSTI first all you need to understand the site in and out which means that we need to find possible places where we can start injecting our template code. Forexample with this lab it was a straight forward which means just we need to click the first product and we will see the error

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The first product is out of stock, but the rest of the product were still in stock, to test this theory you can try to click every product one by one and see what if offers

Then we can now try to intercept the request and send it to our repeater for more testing

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Send it to repeater and then forward the request and search for the error we observed before

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now from here the lab itself says that we need to exploit the ERB template(RUBY),so we can google about ruby template payloads or ERB payloads

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now try to replace the "out of stock string with any of the payload"

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

payload:<%= 7*7 %> = 49 (worked)

coz we know 7 * 7 is 49

Since it worked now lets i decided to modify my payload

payload:<%+system('id')+%> (worked)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

lets now check where is the file and delete it so as we can solve the lab

You can just use 'rm morale.txt'

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

simple like that.

challenge 2

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Description

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

solution

Another easy LAB this time its tonado template injection. Tonado is a template engine written in python

As normaly open the lab and we can start solve it, this time we have been given some creds "wiener:peter" which probably the vuln template section is found inside after login in.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Before login it is clear that with this blog post is allows anyone to post incase if he/she hasn't login in and assign the post as (anonymous post), time to login with the creds we were given.

I decide to try to leave a command on one of the post ,because i wanted to see the response i get

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After loading back the post i saw my post with my name

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

N/B: still so far we havent find a place where to inject our payloads lets now shift to burp history and analyse the request we have sent so far

After some-time trying to escape the hint from the lab i decided to intercept the request while updaing the user details and see what it offers me.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Lets test and see if we can inject a simple SSTI payload and observe it response

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Decide to visit the post where i was commenting and see if wiener details have been updated

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The error arise because of syntax error from tonado template engine and from here we have already know that this is a place we were looking to inject our payloads. Now lets find a valid syntax

payload: }}{{7*7}}

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And we can see that the server has execute our payload. Now lets find a way to delete the morale.txt file.

After a simple google i found this payload from this guy

payload:{% import os %}{{ os.popen("whoami").read() }}

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now from here we can even get a reverse shell, upload malicous file and so on, now lets solve the lab.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

challenge

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Description

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

solution

This one was a straight forward lab, simple and clear.

Login with the creds being given and try to see what we have.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Since we were given credentials for content-manager it is straight forward that the content manager have the power to change the content, to see this try to visit the shop and view details you will see that you can edit the template(which is content).

But what is most interesting was this one

<p>Hurry! Only ${product.stock} left of ${product.name} at ${product.price}.</p>

All this means that the site is using a web template engine to load the template syntax forexample to {{product.price}} what this syntax does is that it loads the price of a specific product with corresponding to its product.name,

So in order to exploit this we can try now to add a new simple paragraph with our template syntax and once we click preview the template engine we load our payload and output it i.e

payload:</p><p>${7*7}</p>

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now we have already understand it is vulnerable but so far we haven't know which template engine is using lets give it something that will force it to produce an error and there we will be able to know the template engine simple as that.

Firefox_Screenshot_2024-03-31T15-10-31.121Z

There we go now we know that it is using Freemarker(java) template engine. freemarker is written in java.

After some little google found this one which was usefull for me.

Screenshot 2024-03-31 at 11-12-28 SSTI (Server Side Template Injection) HackTricks HackTricks

payload:${"freemarker.template.utility.Execute"?new()("id")}

Firefox_Screenshot_2024-03-31T15-14-36.579Z

challenge

Screenshot 2024-03-31 at 12-39-32 Lab Server-side template injection in an unknown language with a documented exploit Web Security Academy

Description

Screenshot 2024-03-31 at 12-40-00 Lab Server-side template injection in an unknown language with a documented exploit Web Security Academy

solution

Lets solve another SSTI, the lab is a straight forward because it produce the same error as we solved from lab 1 that why is a straight forward lab here we go.

Screenshot 2024-03-31 at 12-42-32 Server-side template injection in an unknown language with a documented exploit

Here we have no login or what so we can now try to click one product one after another but we can observe some strange for the first product

Screenshot 2024-03-31 at 12-44-58 Server-side template injection in an unknown language with a documented exploit

As usual lets capture this request into burp suite and observer the try to inject any payload so as so identify the template engine.

Screenshot from 2024-03-31 12-47-02

From the above error we can see that it is using Handlebars (NodeJS) template engine. so after some little google found this site here

Screenshot 2024-03-31 at 12-48-57 SSTI (Server Side Template Injection) HackTricks HackTricks

We can test our PoC if this works by the following payload

payload: ${7*7} = ${7*7}

Screenshot from 2024-03-31 12-50-16

Now from the same article we got a payload that can be useful to execute command but remember our main goal is to remove the morale.txt file

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return require('child_process').exec('cat /etc/passwd');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

N/B: the payload is very large so what we can do to make it simple is just to encode it(url encode)

Screenshot from 2024-03-31 12-55-46

Simple like that

challenge

Screenshot 2024-03-31 at 13-04-33 Lab Server-side template injection with information disclosure via user-supplied objects Web Security Academy

Description

Screenshot 2024-03-31 at 13-04-47 Lab Server-side template injection with information disclosure via user-supplied objects Web Security Academy

solution

Another easy lab this lab is similary second lab if not mistaken but this time tis lab use different template engine.

Login and choose any lab and try to edit, since because we dont know the template engine we can just try to input any SSTI payload at first and see what reponse we get

Firefox_Screenshot_2024-03-31T17-09-06.895Z

Firefox_Screenshot_2024-03-31T17-11-03.855Z

Now we know that the site is using django template engine so we can now start our googling skills to search for a payload to exploit it

After some google i saw this one article from github and decide to try it.

Firefox_Screenshot_2024-03-31T17-23-47.006Z

Now we can leak some debug info with this payload

payload:{% debug%}

And I got this output

Screenshot 2024-03-31 at 13-26-07 Server-side template injection with information disclosure via user-supplied objects

Those text we so many, i decide to start reading from the bottom and i saw also something like jinja.

Screenshot 2024-03-31 at 13-29-47 Server-side template injection with information disclosure via user-supplied objects

This very interesting information here also i saw this one

Firefox_Screenshot_2024-03-31T17-32-23.139Z

Now we we are at good position lets now find a payload since because we have jinja template engine

Found this article here so cool and usufull

Screenshot 2024-03-31 at 13-34-57 SSTI (Server Side Template Injection) HackTricks HackTricks

In order to solve this lab we were supposed to leak the SECRET_KEY

payload: {{settings.SECRET_KEY}}

Firefox_Screenshot_2024-03-31T17-37-22.495Z

To understand much about what a secret keys does i google and found this article from this guy

why secret key is important?

N/B: Its fun solving these lab because i was testing my skills with SSTI, its really fun just to try to understand and solve it without a hint or any solution from the lab you gonna enjoy it for sure.

challenge

Screenshot 2024-03-31 at 13-44-26 Lab Server-side template injection in a sandboxed environment Web Security Academy

Description

Screenshot 2024-03-31 at 13-44-35 Lab Server-side template injection in a sandboxed environment Web Security Academy

Solution

Here we go again this one is Freemaker template engine but this time its inside a sandbox, so we need to escape the sandbox and find the password i hope this one will be interesting here we go.

Screenshot 2024-03-31 at 13-51-11 Server-side template injection in a sandboxed environment

Now choose any post and we can try to edit the template.

Screenshot 2024-03-31 at 13-59-46 SSTI (Server Side Template Injection) HackTricks HackTricks

The first payload didn't work so i had to google here and i found this article here
cool article

So i decide to check for the version based on this article and got 2.3.29

Firefox_Screenshot_2024-03-31T17-59-06.652Z

After executing the payload i got this error it says that article object is missing, which means that we don't have any object named article,with our case we have a object named product we can change our payload a little bit here and see the response.

Firefox_Screenshot_2024-03-31T18-18-07.962Z

And i tryied to run it again

Firefox_Screenshot_2024-03-31T18-20-44.512Z

Finally we are able to escape the sandbox lets check for more details

Firefox_Screenshot_2024-03-31T18-23-21.518Z

Now time to solve the lab.

Firefox_Screenshot_2024-03-31T18-24-48.560Z

And simple like that we solve like an expert an easy challenge
N/B: for more information about how this payload works is from this guy here

well exaplained how to escape freemarker sandbox with v2.3.29

challenge

Screenshot 2024-03-31 at 14-33-18 Lab Server-side template injection with a custom exploit Web Security Academy

Description

Screenshot 2024-03-31 at 14-32-25 Lab Server-side template injection with a custom exploit Web Security Academy

solution

As usually lets login with the creds being given.The idea of this lab is the same as the one we solved earlier, the only difference is that it just need time to exploit the chain of how we solved the first one and the addition feature

Screenshot from 2024-03-31 15-07-38

Lets go and check our payload if got execute on the server side.

Firefox_Screenshot_2024-03-31T19-10-13.212Z

Now lets try to find the template engine being used, we need to find a way to trigger the error here.

Screenshot from 2024-03-31 15-13-43

payload:{{test}}

Firefox_Screenshot_2024-03-31T19-14-12.998Z

Now we know that we are dealing with Twig template engine written in php so lets google the payloads always hacktricks and payload-All-The-Things are the best for the use.

Firefox_Screenshot_2024-03-31T19-17-26.155Z

This because this challenge also privides addition feature than the one i solved before i decice to check it, if we upload invalid image we get this error, as we can note some important information

thrown in /home/carlos/avatar_upload.php

    and this one
Content-Disposition: form-data; name="user"    

Screenshot from 2024-03-31 15-33-04

All in all my vibe today was with SSTI

Firefox_Screenshot_2024-03-31T20-14-57.958Z

N/B: For more practical about server side template injection there is this seasonal 4 machine(savage land) from hack the box you can practise SSTI injection

Screenshot 2024-03-31 at 16-07-56 Hack The Box Hack The Box

Perfection is a simple easy machine from hack the box that is vulnerable to SSTI which you can exploit futher to RCE simple like that.