Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Server-side template injection in a sandboxed environment

EXPERT

This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox. To solve the lab, break out of the sandbox to read the file my_password.txt from Carlos's home directory. Then submit the contents of the file.

You can log in to your own account using the following credentials:

content-manager:C0nt3ntM4n4g3r
ACCESS THE LAB

Solution

  1. Log in and edit one of the product description templates. Notice that you have access to the product object.
  2. Load the JavaDoc for the Object class to find methods that should be available on all objects. Confirm that you can execute ${object.getClass()} using the product object.

  3. Explore the documentation to find a sequence of method invocations that grant access to a class with a static method that lets you read a file, such as:

    ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
  4. Enter this payload in one of the templates and save. The output will contain the contents of the file as decimal ASCII code points.
  5. Convert the returned bytes to ASCII.
  6. Click the "Submit solution" button and submit this string to solve the lab.

Community solutions

Garr_7

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find server-side template injection vulnerabilities using Burp Suite

Try for free