What is Server-Side Template Injection?

An attack that allows the attacker to use the native template syntax to inject a few malicious payloads into the template is been called Server-side template injection or also known as SSTI.

Normally, the attacks will work when the attacker makes use of the user input which is concatenated directly into a template. As a result, the attacker will be able to inject a malicious such as arbitrary template directives so that they will manipulate the template engine.

We can aware that the attack works when reviewing the vulnerable source code such as shown below:

$output = $twig->render("Dear " . $_GET['name']);

From my understanding of the source code above, we can use the payload by generating a GET request by taking advantage of the parameter “name”.

An example of the execution of the payload can be seen below:

http://test.com/?name={{SSTI payload}}

For more understanding of the attack’s method and payload, can read over here

Demo for the Server-Side Template Injection (SSTI)

Graphical user interface, text, application, email

Description automatically generated

For the demo purpose, I will be using the sample from the Talkative machine which the payload that uses there would be {{7*7}} as shown above.

A screenshot of a person

Description automatically generated with low confidence

I should be able to see the SSTI attack message on the top of the website that shows a total of 49 (coming from 7*7)

Another sample from the Good Game machine

Another machine that we can experience the SSTI machine would be GoodGame. The injection location can be different on other machines but it’s in General Information for this machine.

As been shown in the previous example, we can also use the same payload as {{7*7}} on the FullName column

The output from the injection will look something as shown above. As we notice above, we are not aware that SSTI can be exploited over here.

We also should be able to obtain the command injection while doing the SSTI attack. Aside from that, we were able to retrieve the reverse shell on the machine.

Therefore, we are required to change the payload a little bit so that we will be gaining the connection back.