hello hackers and researchers decide to share with you simple server side template injection walkthrough from port swigger, actually the labs we simple and straight forward

What is server side template injection?
SSTI is when an someone is able to inject malicous template syntax against a template engine which is then executed on the server side.

Example of template engines are like tonado,ERB,jinja and so many others

challenge 1

Description

Solution

This lab wants us to exploit a ruby template engine and in order to solve this lab we need to delete a fila name(morale.txt).

Now start the lab as how it instruct you.

N/B: in order to exploit SSTI first all you need to understand the site in and out which means that we need to find possible places where we can start injecting our template code. Forexample with this lab it was a straight forward which means just we need to click the first product and we will see the error

The first product is out of stock, but the rest of the product were still in stock, to test this theory you can try to click every product one by one and see what if offers

Then we can now try to intercept the request and send it to our repeater for more testing

Send it to repeater and then forward the request and search for the error we observed before

Now from here the lab itself says that we need to exploit the ERB template(RUBY),so we can google about ruby template payloads or ERB payloads

Now try to replace the "out of stock string with any of the payload"

payload:<%= 7*7 %> = 49 (worked)

coz we know 7 * 7 is 49

Since it worked now lets i decided to modify my payload

payload:<%+system('id')+%> (worked)

lets now check where is the file and delete it so as we can solve the lab

You can just use 'rm morale.txt'

simple like that.

challenge 2

Description

solution

Another easy LAB this time its tonado template injection. Tonado is a template engine written in python

As normaly open the lab and we can start solve it, this time we have been given some creds "wiener:peter" which probably the vuln template section is found inside after login in.

Before login it is clear that with this blog post is allows anyone to post incase if he/she hasn't login in and assign the post as (anonymous post), time to login with the creds we were given.

I decide to try to leave a command on one of the post ,because i wanted to see the response i get

After loading back the post i saw my post with my name

N/B: still so far we havent find a place where to inject our payloads lets now shift to burp history and analyse the request we have sent so far

After some-time trying to escape the hint from the lab i decided to intercept the request while updaing the user details and see what it offers me.

Lets test and see if we can inject a simple SSTI payload and observe it response

Decide to visit the post where i was commenting and see if wiener details have been updated

The error arise because of syntax error from tonado template engine and from here we have already know that this is a place we were looking to inject our payloads. Now lets find a valid syntax

payload: }}{{7*7}}

And we can see that the server has execute our payload. Now lets find a way to delete the morale.txt file.

After a simple google i found this payload from this guy

payload:{% import os %}{{ os.popen("whoami").read() }}

Now from here we can even get a reverse shell, upload malicous file and so on, now lets solve the lab.

challenge

Description

solution

This one was a straight forward lab, simple and clear.

Login with the creds being given and try to see what we have.

Since we were given credentials for content-manager it is straight forward that the content manager have the power to change the content, to see this try to visit the shop and view details you will see that you can edit the template(which is content).

But what is most interesting was this one

<p>Hurry! Only ${product.stock} left of ${product.name} at ${product.price}.</p>

All this means that the site is using a web template engine to load the template syntax forexample to {{product.price}} what this syntax does is that it loads the price of a specific product with corresponding to its product.name,

So in order to exploit this we can try now to add a new simple paragraph with our template syntax and once we click preview the template engine we load our payload and output it i.e

payload:</p><p>${7*7}</p>

Now we have already understand it is vulnerable but so far we haven't know which template engine is using lets give it something that will force it to produce an error and there we will be able to know the template engine simple as that.

There we go now we know that it is using Freemarker(java) template engine. freemarker is written in java.

After some little google found this one which was usefull for me.

payload:${"freemarker.template.utility.Execute"?new()("id")}

challenge

Description

solution

Lets solve another SSTI, the lab is a straight forward because it produce the same error as we solved from lab 1 that why is a straight forward lab here we go.

Here we have no login or what so we can now try to click one product one after another but we can observe some strange for the first product

As usual lets capture this request into burp suite and observer the try to inject any payload so as so identify the template engine.

From the above error we can see that it is using Handlebars (NodeJS) template engine. so after some little google found this site here

We can test our PoC if this works by the following payload

payload: ${7*7} = ${7*7}

Now from the same article we got a payload that can be useful to execute command but remember our main goal is to remove the morale.txt file

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return require('child_process').exec('cat /etc/passwd');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

N/B: the payload is very large so what we can do to make it simple is just to encode it(url encode)

Simple like that

challenge

Description

solution

Another easy lab this lab is similary second lab if not mistaken but this time tis lab use different template engine.

Login and choose any lab and try to edit, since because we dont know the template engine we can just try to input any SSTI payload at first and see what reponse we get

Now we know that the site is using django template engine so we can now start our googling skills to search for a payload to exploit it

After some google i saw this one article from github and decide to try it.

Now we can leak some debug info with this payload

payload:{% debug%}

And I got this output

Those text we so many, i decide to start reading from the bottom and i saw also something like jinja.

This very interesting information here also i saw this one

Now we we are at good position lets now find a payload since because we have jinja template engine

Found this article here so cool and usufull

In order to solve this lab we were supposed to leak the SECRET_KEY

payload: {{settings.SECRET_KEY}}

To understand much about what a secret keys does i google and found this article from this guy

why secret key is important?

N/B: Its fun solving these lab because i was testing my skills with SSTI, its really fun just to try to understand and solve it without a hint or any solution from the lab you gonna enjoy it for sure.

challenge

Description

Solution

Here we go again this one is Freemaker template engine but this time its inside a sandbox, so we need to escape the sandbox and find the password i hope this one will be interesting here we go.

Now choose any post and we can try to edit the template.

The first payload didn't work so i had to google here and i found this article here
cool article

So i decide to check for the version based on this article and got 2.3.29

After executing the payload i got this error it says that article object is missing, which means that we don't have any object named article,with our case we have a object named product we can change our payload a little bit here and see the response.

And i tryied to run it again

Finally we are able to escape the sandbox lets check for more details

Now time to solve the lab.

And simple like that we solve like an expert an easy challenge
N/B: for more information about how this payload works is from this guy here

well exaplained how to escape freemarker sandbox with v2.3.29

challenge

Description

solution

As usually lets login with the creds being given.The idea of this lab is the same as the one we solved earlier, the only difference is that it just need time to exploit the chain of how we solved the first one and the addition feature

Lets go and check our payload if got execute on the server side.

Now lets try to find the template engine being used, we need to find a way to trigger the error here.

payload:{{test}}

Now we know that we are dealing with Twig template engine written in php so lets google the payloads always hacktricks and payload-All-The-Things are the best for the use.

This because this challenge also privides addition feature than the one i solved before i decice to check it, if we upload invalid image we get this error, as we can note some important information

thrown in /home/carlos/avatar_upload.php

    and this one
Content-Disposition: form-data; name="user"    

All in all my vibe today was with SSTI

N/B: For more practical about server side template injection there is this seasonal 4 machine(savage land) from hack the box you can practise SSTI injection

Perfection is a simple easy machine from hack the box that is vulnerable to SSTI which you can exploit futher to RCE simple like that.