Server-side Template Injection
NOTE: Always find the template engine with any method (including invoking error)
Lab: Basic server-side template injection
There is a request that looks suspicious
After playing around with it, this request is vulnerable to SSTI.
To solve the lab, just need to modify the request as shown below
Lab: Basic server-side template injection (code context)
After logging into the user account, we can see that there is a Preferred name portion
When we change the name to another type, it will send a request and it will also change on the comments section.
To solve the lab, change the last line in the request as shown below and refresh the comments page.
Lab: Server-side template injection using documentation
Login to the user account and go to any post
Changing it to ${foobar}reveals the template
To solve the lab, just change the ${foobar}to what is shown below and press the preview button.
Lab: Server-side template injection in an unknown language with a documented exploit
Same as the 1st lab, there is a message request that was sent out.
When we type in an incorrect syntax, it is shown that the template engine used is NodeJS.
After searching online, there is a payload that is available
Just change the command and URL encode it and send the request to solve the lab
Lab: Server-side template injection with information disclosure via user-supplied objects
First, we will try this payload {{7*7}}
It gave us an error message from Django. So we can confirm that is it is using a Django Template Engine
Since we are only getting the secret key, the payload only need to change to {{settings.SECRET_KEY}}
After pressing preview, we can see the secret key appearing.
Last updated