search

Basic server-side template injection

hashtag
Lab Description

hashtag
Walkthrough

Homepage

hashtag
Step 1: Analyzing the Application

Before testing for vulnerabilities, it’s essential to understand the application’s functionality. The homepage displays a shopping interface with products. When clicking on a product, a message stating, "Unfortunately, this product is out of stock," is displayed.

Using Burp send the request to the repeater and examine the parameters passed when interacting with a product.

  • The message parameter is present in the request. This parameter might be used to dynamically render content on the webpage.

hashtag
Step 2: Testing for Template Injection

Server-side template injection occurs when user inputs are passed directly into the server's template engine without proper sanitization. By crafting specific payloads, we can test if the message parameter is vulnerable.

  1. Inject a basic payload: {{7*7}}.

    • Expected Output: If vulnerable, the result should display 49 (calculated value).

    • Observation: The output displays {{7*7}}, meaning this specific syntax did not trigger the vulnerability.

  2. Exploring other template engines.

    • Attempted payload: <%= 7*7 %> (Ruby's Embedded Ruby, ERB syntax).

    • Result: Successfully evaluated to 49. This confirms the application uses the ERB engine, making it vulnerable to Ruby-based template injection.

hashtag
Step 3: Establishing Remote Code Execution (RCE)

Thought Process:

After confirming template injection, the next step is to assess whether arbitrary code can be executed.

The response contains system information (uid=12002(carlos) gid=12002(carlos)), confirming RCE.

hashtag
Step 4: Locating the Target File

Thought Process:

The goal is to delete the morale.txt file from Carlos's home directory. First, we need to confirm its presence in the current directory.

  • The output lists morale.txt as a file in the current directory.

hashtag
Step 5: Deleting the File

Now that the target file is identified, the next step is to delete it using the rm command.

After executing the payload, the lab confirms successful completion.

PreviousServer-side template injectionNextBasic server-side template injection (code context)

Last updated