28.3 Lab: Server-side template injection using documentation

This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documenta tion to work out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJun 8, 2024

Description

This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials:

content-manager:C0nt3ntM4n4g3r

Solution

  1. Log in and edit one of the product description templates. Notice that this template engine uses the syntax ${someExpression} to render the result of an expression on the page. Either enter your own expression or change one of the existing ones to refer to an object that doesn't exist, such as ${foobar}, and save the template. The error message in the output shows that the Freemarker template engine is being used.
  2. Study the Freemarker documentation and find that appendix contains an FAQs section with the question “Can I allow users to upload templates and what are the security implications?”. The answer describes how the new() built-in can be dangerous.
  3. Go to the “Built-in reference” section of the documentation and find the entry for new(). This entry further describes how new() is a security concern because it can be used to create arbitrary Java objects that implement the TemplateModel interface.
  4. Load the JavaDoc for the TemplateModel class, and review the list of "All Known Implementing Classes".
  5. Observe that there is a class called Execute, which can be used to execute arbitrary shell commands
  6. Either attempt to construct your own exploit, or find @albinowax’s exploit on our research page and adapt it as follows:
    <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
  7. Remove the invalid syntax that you entered earlier, and insert your new payload into the template.
  8. Save the template and view the product page to solve the lab.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer