Lab: Server-side template injection with a custom exploit
This lab is vulnerable to server-side template injection. To solve the lab, create a custom exploit to delete the file
/.ssh/id_rsa from Carlos's home directory.
You can log in to your own account using the following credentials:
As with many high-severity vulnerabilities, experimenting with server-side template injection can be dangerous. If you're not careful when invoking methods, it is possible to damage your instance of the lab, which could make it unsolvable. If this happens, you will need to wait 20 minutes until your lab session resets.
- While proxying traffic through Burp, log in and post a comment on one of the blogs.
Go to the "My account" page. Notice that the functionality for setting a preferred name is vulnerable to server-side template injection, as we saw in a previous lab. You should also have noticed that you have access to the
Investigate the custom avatar functionality. Notice that when you upload an invalid image, the error message discloses a method called
user.setAvatar(). Also take note of the file path
/home/carlos/User.php. You will need this later.
- Upload a valid image as your avatar and load the page containing your test comment.
In Burp Repeater, open the
POSTrequest for changing your preferred name and use the
blog-post-author-displayparameter to set an arbitrary file as your avatar:
Load the page containing your test comment to render the template. Notice that the error message indicates that you need to provide an image MIME type as the second argument. Provide this argument and view the comment again to refresh the template:
To read the file, load the avatar using
GET /avatar?avatar=wiener. This will return the contents of the
/etc/passwdfile, confirming that you have access to arbitrary files.
Repeat this process to read the PHP file that you noted down earlier:
In the PHP file, Notice that you have access to the
gdprDelete()function, which deletes the user's avatar. You can combine this knowledge to delete Carlos's file.
First set the target file as your avatar, then view the comment to execute the template:
user.gdprDelete()method and view your comment again to solve the lab.