What is Server Side Template Injection (SSTI)?
The web application uses templates to make the web pages look more dynamic. Server Side Template Injection occurs when user input is embedded in a template in an unsafe manner. However, in the initial observation, this vulnerability is easy to mistake for XSS attacks. But SSTI attacks can be used to directly attack web servers’ internals and leverage the attack more complex such as running remote code execution and complete server compromise.
Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing applications and content management systems. Intentional template injection is such a common use-case that many template engines offer a ‘sandboxed’ mode for this express purpose. This paper defines a methodology for detecting and exploiting template injection and shows it being applied to craft RCE zero-days for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.
For viewing SSTI methodology, I highly recommend you to read Server-Side Template Injection post.
How to find and exploit SSTI
- detecting template injection
- identify the template engine
- exploit
DEMO: