Today I will tell you what Server-side template injection is in practice. I'll show you how to find this vulnerability and untwist it before executing the code on the server. You will also find out why the payments for this vulnerability on BugBounty go up to $ 10,000. It might seem like the vulnerability is difficult to exploit, but it is not. There are many details, but in general it is quite easy to find and promote. Well, what have you driven? Let's look at another interesting vulnerability.
What is server-side template injection?
For example, when you change your password, the following notification will be sent to the mail: "Username, your password has been changed." This is also a template, as this message is sent to all users, but only with a different username parameter. If a hacker using the template syntax was able to transfer the payload and it was executed on the server side, the application is vulnerable to SSTI.
The risk and consequences directly depend on the functionality of the engine. Sometimes SSTI allows you to execute arbitrary code on the server and gain full access on the server. Even if the engine has certain limitations and it is not possible to execute code on the server side, other attacks can be carried out using SSTI, which can lead to leakage of confidential information. Let's take a look at a specific example. For example, we have the functionality of an online store that duplicates the content of an order. Something like this:
The existing template changes the <username> and <order_sum> parameters for a specific user and order amount, respectively. And what will happen if you register a user with the nickname 5 * 5 or {{5 * 5}}. If the template is configured incorrectly, then at the next order we can see the following:
Thus, we see the execution of the code in the <username> parameter on the server side via SSTI. Using a more specific example, I will show how you can unroll this vulnerability and get arbitrary code execution.
How do I find the SSTI?
We need to find the place where the data is returned in the response. This can be an online form, an order page, a profile, etc. After that, you need to try adding different SSTI payloads and get an error or code execution. If we get the answer as in the example, then we get the guaranteed SSTI.
Code:
User = Hello $ {7 * 7}
Hello 49
Errors can be thrown when the expression is not built correctly. This may also hint at SSTI. Something like this can be obtained from the Ruby ERB engine:
Code:
(erb): 1: in `<main> ': undefined local variable or method` foobar' for main: Object (NameError)
from /usr/lib/ruby/2.5.0/erb.rb:876:in `eval '
from /usr/lib/ruby/2.5.0/erb.rb:876:in `result '
from -e: 4: in `<main> '
Next, you need to determine what kind of engine is used among the existing templates FreeMarker, Velocity, Smarty, Twig, Twig (sandboxed) and Jade. There is a hint picture that allows you to determine the names of the template based on the results of execution. Here are the most popular options, in case there are any other errors, google to help.
Defining the engine template
Exploiting the real SSTI
Let's promote SSTI in practice. Let's imagine that we have an online store and when going to one of the pages, this is the request in the URL:
Code:
You do not have permission to view link
Log in or register now.
is not foundThen we try to pass the parameter and get the display of the result on the page.
Code:
Then SSTI appears on the page. Great, potentially we found an SSTI. You need to figure out what the template is and get the code execution on the server side. Next, we load the entire list of potential payloads and analyze the response. Automation can be done with BurpSuite Intruder. You can see the list of my payloads in the screenshot, the link has a more detailed list for all engines.
We get the answer that the payload <% = 7 * 7%> worked and the page displays the executed result 49. To check, you can insert our payload into the request and look at the page. The payload itself will be URL-encode encoded.
Code:
Next, we find that the payload "<% = 7 * 7%>" is the syntax of the ERB engine. We are looking for a payload to execute system commands:
Code:
<% = system ("cat / etc / passwd")%>
You do not have permission to view link
Log in or register now.
<%= system ("cat / etc / passwd")%>Let's execute the URL-encode and our final payload will look like this:
Code:
You do not have permission to view link
Log in or register now.
63% 2f% 70% 61% 73% 73% 77% 64% 22% 29% 20% 25% 3e
Contents of the / etc / passwd file
We got server side code executions through SSTI. The screenshot above shows the contents of the / etc / passwd file. Further, you can get a shell or read the contents of some other files. It all depends on the goals and objectives.
How much does BugBounty pay for SSTIs?
SSTIs are less common in BugBounty reports. The remuneration ranges from $ 1,000 to $ 10,000. Maximum payouts are assigned for Server-side template injection, which results in remote code execution. We will analyze these two examples in this article.
The first example was found in the bugbounty Uber program. The user with the nickname Orange changed his nickname on the uber.com website to {{'7' * 7}} and received "77777777" in an email. This suggests that the system is vulnerable to SSTI (Jinja2 template). The hacker received a $ 10,000 reward for this vulnerability.
BugBounty Uber Program
The second example was found in the Shopify program. Operation is much more difficult than the first example. The user tried to modify the standard send template and was able to get the template change and get more information. Such a find brought the hacker $ 10,000.
BugBounty Shopify program
Conclusion
Server-side template injection is a fairly serious vulnerability. Through SSTI, you can get full control over the server, which we discussed today with specific examples. Template engines will continue to gain traction. Therefore, it will potentially be possible to meet even more reports from bugbounty platforms.