SSTI Complete Lab Breakdown: Basic server-side template injection - Bilingual Subtitles
Okay, this video is about the basics of server side template injection and if you already
understand SSTI and you just want to cover the lab methodology,
go ahead and check out the timestamps below and you should be able to jump to the section that you need.
But let's go ahead and get started.
So in order to understand SSTI, we need to talk about templates.
So templates are essentially files that contain a bunch of static content and within that static content,
we have spots where dynamic content supposed to go.
And we denote where that dynamic content goes with specific templating syntax that's understood by the templating engine in use.
So if we're talking about a Ruby application, it be ERB syntax.
Or if we're talking about a Python application, we be using gingis syntax.
And within those care characters that denote templating syntax, you'll see a reference to something like a model or an object and its attributes.
So if we call user dot username, the templating engine will see that and it'll dynamically put the user's username there.
Or if we put voting location dot description, then we'll see that the description gets populated there.
Now real quick, it's important to note.
for SSTI that the root of the issue is that our payload is somehow rendered by the
templating engine somehow and it could be through modifying the templating file directly or our parameter
just happens to be sent and rendered by the templating engine that way but keep a
pin that for now just note that that's pretty much the root cause of this issue.
But let's go ahead and talk about a few more examples of templating to really drive the understanding home.
So let's say you have an application that allows users to host their own events.
Well, what you could do is you could have a user fill out data about their event.
And a template will actually populate this data that's specific to the event that the user creates.
So an application developer might create a template.
for events and then from there that user controlled data for each event will be
populated in the template when a user goes to view that specific event.
Another example are emails.
Email are really common, especially in modern frameworks, where you create a static email template and then allocate specific parts that are dynamic.
So like the user username or a specific link that the user will click.
So that's a couple examples of templates.
Okay, what about server-side template injection?
What are we talking about that?
Well, let's look at a simple example of a template.
Here you can see an event was an event name and that event name is being passed dynamically as data.
In this case, it looks like some proper usage.
But what happens when user input is directly
to the template and at that point it becomes part of the template directive and the template engine actually looks at that
and Does something with it or processes it based off of what the user injects?
That's when we have an issue.
So first things first Anywhere we look and we see user controlled input that's being reflected.
We want to see if when we inject that input,
does the templating directive look at it as data, or does it actually interpret it and return the contents of what we try to evaluate?
This is where the power and the impact of SSTI really comes into play,
because if we can confirm that the templating engine evaluates simple arithmetic like seven times seven, now we can try something like SSTI.
system, who am I?
And possibly get RCE.
And even if we can't get RCE,
we can use the power of the templating engine to interact with functionality we shouldn't be able to interact
with and possibly exfiltrate some sensitive data.
So what's the methodologies to actually discover SSTI?
Well, we're going to use this lab to actually go through a common methodology or a common workflow.
that we use to discover SSTI in the wild.
Let's go ahead and dive right in.
Okay, discovery and exploitation of SSTI is a three-step process.
Step one is finding reflection of our user-controlled input.
We need a reflection of input.
That way we know when our payload is processed by the templating engine,
do we actually see that it's evaluated or is it returned as such without evaluation?
Step is enumerating the templating engine in use.
So we have a list of payloads that if they get evaluated by a templating engine would return seven times seven,
which is forty-nine, and we'll break this down a little bit.
But essentially we have a list of payloads,
we throw it at the application where the user input is reflected,
and if it returns forty-nine, it down based off templating syntax and then step three's exploitation.
Sometimes you'll get flat out RCE just from publicly available payloads and we'll go through some resources
where you can find those payloads but if there's not a payload out of the box it just
works you'll probably have to get your hands dirty.
you'll need to enumerate what you have access to within that template execution environment.
You have to do this by going through documentation or exploring objects like
self and its available methods or different functions that you have at your disposal.
Error messages do make this easier, but if all you get is output of properly evaluated template syntax, then you need to get crafty.
That's outside of the scope of this video,
but just know that any published payloads you find all come from awesome researchers who did the hard gadget chains.
So you find something in the wild, your research could really help the community.
So as we look at this lab, we see the applications are pretty basic shop application and we can view details of an item.
And then when we click view details, let's see what happens here.
It attempts to open up a product and here we get a message Unfortunately, this product is out of stock.
So if we take this request to repeat it with control R what we can do is We can look at where this message is being
reflected Which is down here so we can actually send this instead to intruder and grab a list of payloads which are going
in this message URL parameter.
So I like using hack tricks for something like this.
This hack tricks has a really great breakdown of SSTI in general.
And it starts with this direct plain text context, which has a list of different payloads.
And if the payload or if our inputs being sent to a templating engine and actually being evaluated,
it should return 49 where it's being reflected.
So we add this to clipboard, we go back to burp, go to payloads, paste our payloads here.
extract.
So we go to options, go to grep extract, and we want to extract the data that is being reflected.
So what was that message that we got unfortunate, I think?
Yeah, unfortunately, this product is out of stock.
So if we highlight this within the div here, and click OK.
When we run this intruder attack, it should actually return the contents of anything within that div.
So as you can see here, our output is being reflected, or excuse me, our payload is actually being evaluated in returning 49.
And this specific syntax is actually Ruby or ERB templating specifically.
And the awesome part about this is you can jump to Hactrix, Control F, And it'll actually show some example payloads you can use.
So first line shows that we can just run the system function directly.
Let's go ahead and give this a try.
We'll minimize our interior attack, go back to repeat.
gear.
And then what we'll do is we'll actually highlight a section of the response that will be easy to jump to.
We'll paste it in this search box.
And if we click this gear and go auto scroll to match when text changes,
every time we send this request, it'll hop right to where our input is being reflected.
So instead of this message,
what we can do is less than percent equals,
then we need a space, which you are all encoded to be percent 20 or plus system.
Who am I?
Plus.
And what we run this, you could see that we're the actual user Carlos.
From here, we can do an LS to list the contents of the directory.
In this case, we have morale.txt.
We can do PWD to see what directory we're currently in, present working directory is home Carlos.
So the lab calls for us to actually remove a specific file from the file system.
So we can do RM plus, which is a space home, Carlos, morale.txt.
And we could have just removed morale.txt because we're in that directory.
But you can see if we go back to the actual application, we got the congrats.
We solve the lab.
And so from here, what we did was again, three steps.
We look for user controlled input or reflection of you.
We went ahead and tried to enumerate whether or not our input was being sent to a templating engine
And if it was we would get a valuation of our payload.
So if we look at our intruder attack again We're trying to return seven times seven,
which is forty nine and in this case because we got forty and then returned We enumerated that the templating engine in use was Ruby's ERB templating engine and we confirmed
We have SSTI because we got this forty nine So from here,
it's just exploitation and we leverage hack tricks to see that we can just call system directly and get RCE Well,
that's all I got for this video.
If you want any more from me, you can check me out on twitch.tv forward slash gar underscore seven.
Every Monday and Thursday, I do educational live streams and giveaway, so I'd love to see you there.
If you learned something from this video, or if you have any feedback at all, I'd love to hear about it in comments below.
But other than that, hope to see you next time.
Unlock More Features
Install the Trancy extension to unlock more features, including AI subtitles, AI word definitions, AI grammar analysis, AI speaking, etc.
Compatible with Major Video Platforms
Trancy not only provides bilingual subtitle support for platforms like YouTube, Netflix, Udemy, Disney+, TED, edX, Kehan, Coursera, but also offers AI word/sentence translation, full-text immersive translation, and other features for regular web pages. It is a true all-in-one language learning assistant.
Supports All Platform Browsers
Trancy supports all platform browsers, including iOS Safari browser extension.
Multiple Viewing Modes
Supports theater, reading, mixed, and other viewing modes for a comprehensive bilingual experience.
Multiple Practice Modes
Supports sentence dictation, oral evaluation, multiple-choice, dictation, and other practice modes.
AI Video Summary
Use OpenAI to summarize videos and quickly grasp key content.
AI Subtitles
Generate accurate and fast YouTube AI subtitles in just 3-5 minutes.
AI Word Definitions
Tap on words in the subtitles to look up definitions, with AI-powered definitions.
AI Grammar Analysis
Analyze sentence grammar to quickly understand sentence meanings and master difficult grammar points.
More Web Features
In addition to bilingual video subtitles, Trancy also provides word translation and full-text translation for web pages.