Exploiting: Server Side Template Injection

Server Side Template Injection: To present data dynamically from emails or webpages we use templates and unsafely use of it leads to server exploits like RCE and many more.

So when user controlled input is embedded directly into template, it may cause of SSTI. This may occurs as developer want to offer rich functionality.

Example: There is application that has functionality where users can send emails to their customer and the content of the email can be modified by the user. So if developer is using templates such as freemarker or twig for rich email experience and directly passing the inputs from the user for processing and sending the email. Attacker can inject malicious inputs in order to run the commands on the server.

Working:

· User enter the malicious input in the application which is using templates.

· Application transfers the malicious inputs without validating to the template engine

· Template engine processes invalidated input which may cause code execution on the server.

Detect: To test for template engine we can try some simple payloads if they gets evaluated then the application is vulnerable to template injection.

Different language has different type of template.

PHP: Twig, smarty , VlibTemplate

Java: Velocity, WebMacros, FreeMarker

Python: Jinja2, Django, Mako

JavaScript: Jade, Rage

Out of these, here we are going to discuss two popular type of template and how to detect injection in them:

· Freemarker: In case of freemarker if we supply {{5*5}} in the input field and the output is 25 then its vulnerable to template injection as it is evaluating the supplied inputs.

How to exploit: After identifying template type and whether injections occurs or not we can use below payload to exploit the template.

<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“command_here “) }

· Twig: In case of Twig if we supply {{5*5}} output and application reflects the output as 55555 then it is vulnerable to template injection.

How to exploit: After identifying template type and whether injection occurs or not, we can use below payload to exploit the template.

{{_self.env.registerUndefinedFilterCallback(“exec”)}}{{_self.env.getFilter(“(command here)”)}}

Exploitation: we have an application which has template injection Our aim is to find which type of template is being used and then we have to retrieve SECRET_FLAG.txt file.

Upon opening the application we have an webpage which asks for our nickname and then reflects the name in the output.

So in order to check whether there is template injection or not we will try some of the template injections payload here.

I entered #{2*2} in input field.

You can see that I got 4 in output so it confirms that application is evaluating the input and this is the sign that it is vulnerable to template injection . As I got 4 so freemarker template is being used.

Now we have to try freemarker template injection exploit payload to get access.

Now to execute the command we will use payload discussed in FreeMarker section.

<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“command_here “) }

After entering this payload in our input field we can check which type of user privileges assigned.

The command prints all the users groups and ids assigned to it.

Now in order to extract the file we have to check what type of files exists in the folder i.e I want to list the content of this directory. So, I used “ls” command in command field.

Now updated payload:

<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“ls”) }

After inserting this payload in input field, I got list of all files present in this directory.

Now we can see that SECRET_FLAG.txt exist in this directory.

We will read the SECRET_FLAG file using the cat command.

<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“ cat SECRET_FLAG.txt “) }

After using the above command I got the contents of file as output.

Mitigations:

· Sanitization and proper validation of user input.

· If user inputs are being used then we have to use them in the sandbox or have to blacklist commands on the server so they never gets executed if users supplies them.

· You can also change the permission of the directories.

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store