Exploiting: Server Side Template Injection

Server Side Template Injection: To present data dynamically from emails or webpages we use templates and unsafely use of it leads to server exploits like RCE and many more.

So when user controlled input is embedded directly into template, it may cause of SSTI. This may occurs as developer want to offer rich functionality.

Example: There is application that has functionality where users can send emails to their customer and the content of the email can be modified by the user. So if developer is using templates such as freemarker or twig for rich email experience and directly passing the inputs from the user for processing and sending the email. Attacker can inject malicious inputs in order to run the commands on the server.

Working:

· User enter the malicious input in the application which is using templates.

· Application transfers the malicious inputs without validating to the template engine

· Template engine processes invalidated input which may cause code execution on the server.

Detect: To test for template engine we can try some simple payloads if they gets evaluated then the application is vulnerable to template injection.

Different language has different type of template.

PHP: Twig, smarty , VlibTemplate

Java: Velocity, WebMacros, FreeMarker

Python: Jinja2, Django, Mako

JavaScript: Jade, Rage

Out of these, here we are going to discuss two popular type of template and how to detect injection in them:

· Freemarker: In case of freemarker if we supply {{5*5}} in the input field and the output is 25 then its vulnerable to template injection as it is evaluating the supplied inputs.

How to exploit: After identifying template type and whether injections occurs or not we can use below payload to exploit the template.

<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“command_here “) }

· Twig: In case of Twig if we supply {{5*5}} output and application reflects the output as 55555 then it is vulnerable to template injection.