28.4 Lab: Server-side template injection in an unknown language with a documented exploit
This lab is vulnerable to server-side template injection. To solve the lab, id entify the template engine and find a documented exploit online that you can use to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory | Karthikeyan Nagaraj
Description
This lab is vulnerable to server-side template injection. To solve the lab, id entify the template engine and find a documented exploit online that you can use to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory.
Solution
- Notice that when you try to view more details about the first product, a
GET
request uses themessage
parameter to render"Unfortunately this product is out of stock"
on the home page. - Experiment by injecting a fuzz string containing template syntax from various different template languages, such as
${{<%[%'"}}%\
, into themessage
parameter. Notice that when you submit invalid syntax, an error message is shown in the output. This identifies that the website is using Handlebars. - Search the web for “Handlebars server-side template injection”. You should find a well-known exploit posted by
@Zombiehelp54
. - Modify this exploit so that it calls
require("child_process").exec("rm /home/carlos/morale.txt")
as follows:
5. URL encode your exploit and add it as the value of the message parameter in the URL. The final exploit should look like this, but remember to replace YOUR-LAB-ID
with your own lab ID:
6. The lab should be solved when you load the URL
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng