Hacking server using SSTI

These days we mostly witness website with more of dynamic content than the static content. There are several ways to achieve the mentioned objective by using any server side language, but still all these methods lack two thing which are scalability and fast deployment. Template Engine take web apps development to the next level, keeping your application logic separate from your presentation.

Work of Template Engines

The image below explain the process of Template Engines, which simply translate into that template helps in data binding

What is data binding??

In a template, the developer basically define both static content and place holder for dynamic values. At runtime, the template will be processed by its engine to map dynamic values references in the template. For example below place holder will populate by engine with values of username dynamically.

Hello {{firstName}} {{lastName}}!

Commonly used Engines

Some of the most commonly used server-side template engines are Jinja2 or Jinja, Freemaker, Mako, Velocity, Smarty, Tornado, Genshi, Twig, Mustache, etc. You can read about their documentation available in internet.

Vulnerabilities in Template Engines

Template injection presents different class of vulnerabilities that results from parsing unvalidated input that is mistakenly evaluated as code by a templating engine. which can reflect from XSS to RCE.

Detection of Injection:

Plaintext Context:-Plain text detection can be used to detect SSTIs, in this some of the commonly used template expressions can be used by the tester.

For example: {{8*5}}, ${2*7}, {{8/0}}, <%= 5/0 %>, ${foobar}, {{9*9}}, etc.

You can use my SSTI probe for this purpose but you need to modify the tool request method and url as per your context

Pythonforpentester/SSTIPROBE.py at main · R0aDt0OSCP/Pythonforpentester

You can also use SSTI polygot as below which is composed of special characters commonly used in template expressions to fuzz the template.

${{<%[%'"}}%\.

In case of a vulnerability, an error message can be returned or the exception can be raised by the server. which can be used to identify the vulnerability and the template engine in use.

Automated Tools:

Tool below is of great help in identifying and exploiting the vulnerability

GitHub - vladko312/SSTImap: Automatic SSTI detection tool with interactive interface

I have also made a vulnerable lab where you can test your skills

Web-Application-Pentest-series/SSTI at main · R0aDt0OSCP/Web-Application-Pentest-series

Demo Time:

The video below will showcase the exploitation of two use cases

1. Exploiting TWIG(php based engine)
2. Exploiting Tornado(python based engine)

Hope you will have your takeaways from this writeup.

If you like please share & clap :)