SSTI – Server Side Template Injection

What is Server Side Template Injection?

Web applications frequently employ template engines to convey dynamic data via web pages and emails. Unsafely inserting user input in templates enables Server-Side Template Injection, an often serious vulnerability that is easily misidentified as Cross-Site Scripting (XSS) or overlooked entirely. Template Injection, unlike XSS, may be used to directly attack web server internals and frequently acquire Remote Code Execution (RCE), making any susceptible application a possible pivot point.

SSTI – Server Side Template Injection

Template engines are intended to combine templates with a data model to generate result documents that aid in inserting dynamic data into web pages. Users, products, and other information can be displayed using template engines. The following are some of the most well-known template engines: PHP – Smarty, Twigs ; Python – JINJA, Mako, etc… When input validation isn’t handled properly on the server, a malicious server-side template injection payload can be performed, resulting in remote code execution.

You can try to probe {{9*’9′}} to see if the target is vulnerable. It would return 81 in Twig, 999999999 in Jinja2, and neither in the absence of template language.

This step can be as simple as providing incorrect syntax, because template engines can identify themselves in error messages. It’s worth noting that there are alternative ways to find more template engines.

Server Side Template Injection

This step can be as simple as providing incorrect syntax, because template engines can identify themselves in error messages. It’s worth noting that there are alternative ways to find more template engines. #Tips – Tplmap or its Burp Suite Plugin will do the trick😉 [Tplmap facilitates the exploitation of Code Injection and Server-Side Template Injection vulnerabilities by gaining access to the underlying operating system via a variety of sandbox escape tactics.]

Lets take an example of Flask and Jinja2 SSTI. On visiting the host we see flask/jinja2.

Now we will check for the SSTI on this site. You can see here that it was a success! This site has SSTI

Now we can use this to exploit the server by using below give payload… RCE Bypassing Payload

Now our url will look like: http://165.22.124.155:31361/%7B%7Brequest.application.globals.builtins.import(‘os’).popen(‘cat%20flag.txt’).read()%7D%7D

And Boom! We hacked into the server! This was an overview to SSTI (server side template injection) You can search online about SSTI and learn more. Happy Learning!

 

The post SSTI – Server Side Template Injection appeared first on Indian Cyber Security Solutions – ICSS .

By admin