Server Side Template Injection-Something Distinct!

Image Credit — Cobalt.io

So basically, it’s a way to inject something(payload) into the template engine which in turn gets executed on server side. This can pretty much lead to RCE in some cases.

  1. There was a simple sign up/register account page on the target.com .
  2. In the Name field, type in {{7*7}}
  3. Fill the rest of the page accordingly. Do note that the payload must be entered only in the Name field .
  4. It’s a usual and intended behaviour of web applications to greet a new user with a mail and ask them to verify the mail.
  5. Here’s the main stuff, the mail had a subject like :

49, Welcome to target.com

Sample image for reference
  • This is because the payload, {{7*7}} was executed by the template engine and passed on to the backend server.
  • Most of the time, a successful SSTI can be escalated to RCE. But we can’t generalise a particular payload as each payload will be unique to that case.
  • {{system(‘whoami’)}} → This is one of the payload that can prove RCE. But the chance of this payload getting executed is quite low.
  1. {{7*’7'}}
  2. #{ 5* 8 }
  3. ,@(5+5)
  4. You can find more SSTI payloads online. But try to modify and tailor that payload on your own. This will increase the chance of it being executed.
  • I reported this about a month ago and have not yet got any reply from company. This approach by companies is very tiresome to a Bug Bounty Hunter. Hope they will reply to my mail someday :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store