Lab: Server-side template injection with a custom exploit

This lab is vulnerable to server-side template injection. To solve the lab, create a custom exploit to delete the file /.ssh/id_rsa from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

Warning

As with many high-severity vulnerabilities, experimenting with server-side template injection can be dangerous. If you're not careful when invoking methods, it is possible to damage your instance of the lab, which could make it unsolvable. If this happens, you will need to wait 20 minutes until your lab session resets.

Solution

  1. While proxying traffic through Burp, log in and post a comment on one of the blogs.
  2. Go to the "My account" page. Notice that the functionality for setting a preferred name is vulnerable to server-side template injection, as we saw in a previous lab. You should also have noticed that you have access to the user object.
  3. Investigate the custom avatar functionality. Notice that when you upload an invalid image, the error message discloses a method called user.setAvatar(). Also take note of the file path /home/carlos/User.php. You will need this later.
  4. Upload a valid image as your avatar and load the page containing your test comment.
  5. In Burp Repeater, open the POST request for changing your preferred name and use the blog-post-author-display parameter to set an arbitrary file as your avatar:

    user.setAvatar('/etc/passwd')
  6. Load the page containing your test comment to render the template. Notice that the error message indicates that you need to provide an image MIME type as the second argument. Provide this argument and view the comment again to refresh the template:

    user.setAvatar('/etc/passwd','image/jpg')
  7. To read the file, load the avatar using GET /avatar?avatar=wiener. This will return the contents of the /etc/passwd file, confirming that you have access to arbitrary files.
  8. Repeat this process to read the PHP file that you noted down earlier:

    user.setAvatar('/home/carlos/User.php','image/jpg')
  9. In the PHP file, Notice that you have access to the gdprDelete() function, which deletes the user's avatar. You can combine this knowledge to delete Carlos's file.
  10. First set the target file as your avatar, then view the comment to execute the template:

    user.setAvatar('/home/carlos/.ssh/id_rsa','image/jpg')
  11. Invoke the user.gdprDelete() method and view your comment again to solve the lab.

Community solutions

Garr_7