Lab: Server-side template injection with a custom exploit

1. While proxying traffic through Burp, log in and post a comment on one of the blogs.
2. Go to the "My account" page. Notice that the functionality for setting a preferred name is vulnerable to server-side template injection, as we saw in a previous lab. You should also have noticed that you have access to the user object.
3. Investigate the custom avatar functionality. Notice that when you upload an invalid image, the error message discloses a method called user.setAvatar(). Also take note of the file path /home/carlos/User.php. You will need this later.
4. Upload a valid image as your avatar and load the page containing your test comment.

5. In Burp Repeater, open the POST request for changing your preferred name and use the blog-post-author-display parameter to set an arbitrary file as your avatar:

   user.setAvatar('/etc/passwd')

6. Load the page containing your test comment to render the template. Notice that the error message indicates that you need to provide an image MIME type as the second argument. Provide this argument and view the comment again to refresh the template:

   user.setAvatar('/etc/passwd','image/jpg')
7. To read the file, load the avatar using GET /avatar?avatar=wiener. This will return the contents of the /etc/passwd file, confirming that you have access to arbitrary files.

8. Repeat this process to read the PHP file that you noted down earlier:

   user.setAvatar('/home/carlos/User.php','image/jpg')
9. In the PHP file, Notice that you have access to the gdprDelete() function, which deletes the user's avatar. You can combine this knowledge to delete Carlos's file.

10. First set the target file as your avatar, then view the comment to execute the template:

    user.setAvatar('/home/carlos/.ssh/id_rsa','image/jpg')
11. Invoke the user.gdprDelete() method and view your comment again to solve the lab.

Garr_7