28.4 Lab: Server-side template injection in an unknown language with a documented exploit

This lab is vulnerable to server-side template injection. To solve the lab, id entify the template engine and find a documented exploit online that you can use to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJun 9, 2024

Description

This lab is vulnerable to server-side template injection. To solve the lab, id entify the template engine and find a documented exploit online that you can use to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory.

Solution

  1. Notice that when you try to view more details about the first product, a GET request uses the message parameter to render "Unfortunately this product is out of stock" on the home page.
  2. Experiment by injecting a fuzz string containing template syntax from various different template languages, such as ${{<%[%'"}}%\, into the message parameter. Notice that when you submit invalid syntax, an error message is shown in the output. This identifies that the website is using Handlebars.
  3. Search the web for “Handlebars server-side template injection”. You should find a well-known exploit posted by @Zombiehelp54.
  4. Modify this exploit so that it calls require("child_process").exec("rm /home/carlos/morale.txt") as follows:

5. URL encode your exploit and add it as the value of the message parameter in the URL. The final exploit should look like this, but remember to replace YOUR-LAB-ID with your own lab ID:

6. The lab should be solved when you load the URL

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer