search

Server-side Template Injection

NOTE: Always find the template engine with any method (including invoking error)

hashtag
Lab: Basic server-side template injection

There is a request that looks suspicious

After playing around with it, this request is vulnerable to SSTI.

To solve the lab, just need to modify the request as shown below

hashtag
Lab: Basic server-side template injection (code context)

After logging into the user account, we can see that there is a Preferred name portion

When we change the name to another type, it will send a request and it will also change on the comments section.

To solve the lab, change the last line in the request as shown below and refresh the comments page.

hashtag
Lab: Server-side template injection using documentation

Login to the user account and go to any post

Changing it to ${foobar}reveals the template

To solve the lab, just change the ${foobar}to what is shown below and press the preview button.

hashtag
Lab: Server-side template injection in an unknown language with a documented exploit

Same as the 1st lab, there is a message request that was sent out.

When we type in an incorrect syntax, it is shown that the template engine used is NodeJS.

After searching online, there is a payload that is available

Just change the command and URL encode it and send the request to solve the lab

hashtag
Lab: Server-side template injection with information disclosure via user-supplied objects

First, we will try this payload {{7*7}}

It gave us an error message from Django. So we can confirm that is it is using a Django Template Engine

Since we are only getting the secret key, the payload only need to change to {{settings.SECRET_KEY}}

After pressing preview, we can see the secret key appearing.

PreviousOAuth AuthenticationNextJWT Attacks

Last updated