Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Server-side template injection with a custom exploit

EXPERT

This lab is vulnerable to server-side template injection. To solve the lab, create a custom exploit to delete the file /.ssh/id_rsa from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

Warning

As with many high-severity vulnerabilities, experimenting with server-side template injection can be dangerous. If you're not careful when invoking methods, it is possible to damage your instance of the lab, which could make it unsolvable. If this happens, you will need to wait 20 minutes until your lab session resets.

ACCESS THE LAB

Solution

  1. While proxying traffic through Burp, log in and post a comment on one of the blogs.
  2. Go to the "My account" page. Notice that the functionality for setting a preferred name is vulnerable to server-side template injection, as we saw in a previous lab. You should also have noticed that you have access to the user object.
  3. Investigate the custom avatar functionality. Notice that when you upload an invalid image, the error message discloses a method called user.setAvatar(). Also take note of the file path /home/carlos/User.php. You will need this later.
  4. Upload a valid image as your avatar and load the page containing your test comment.

  5. In Burp Repeater, open the POST request for changing your preferred name and use the blog-post-author-display parameter to set an arbitrary file as your avatar:

    user.setAvatar('/etc/passwd')

  6. Load the page containing your test comment to render the template. Notice that the error message indicates that you need to provide an image MIME type as the second argument. Provide this argument and view the comment again to refresh the template:

    user.setAvatar('/etc/passwd','image/jpg')
  7. To read the file, load the avatar using GET /avatar?avatar=wiener. This will return the contents of the /etc/passwd file, confirming that you have access to arbitrary files.

  8. Repeat this process to read the PHP file that you noted down earlier:

    user.setAvatar('/home/carlos/User.php','image/jpg')
  9. In the PHP file, Notice that you have access to the gdprDelete() function, which deletes the user's avatar. You can combine this knowledge to delete Carlos's file.

  10. First set the target file as your avatar, then view the comment to execute the template:

    user.setAvatar('/home/carlos/.ssh/id_rsa','image/jpg')
  11. Invoke the user.gdprDelete() method and view your comment again to solve the lab.

Community solutions

Garr_7

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find server-side template injection vulnerabilities using Burp Suite

Try for free