23.6 Lab: Server-side template injection in a sandboxed environment
This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox. To solve the lab, break out of the sandbox to read the file my_password.txt from Carlos’s home directory. Then submit the contents of the file. You can log in to your own account using the following credentials.. | Karthikeyan Nagaraj
Description
This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox. To solve the lab, break out of the sandbox to read the file my_password.txt
from Carlos's home directory. Then submit the contents of the file.
You can log in to your own account using the following credentials:
content-manager:C0nt3ntM4n4g3r
Solution
- Log in and edit one of the product description templates. Notice that you have access to the
product
object. - Load the JavaDoc for the
Object
class to find methods that should be available on all objects. Confirm that you can execute${object.getClass()}
using theproduct
object. - Explore the documentation to find a sequence of method invocations that grant access to a class with a static method that lets you read a file, such as:
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
- Enter this payload in one of the templates and save. The output will contain the contents of the file as decimal ASCII code points.
- Convert the returned bytes to ASCII.
- Click the “Submit Solution” button and submit this string to solve the lab.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Github for Resources:
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng