Welcome to the Off-Shore Club

The #1 Social Engineering Project in the world since 2004 !

Important Notice:

✅UPGRADE YOUR ACCOUNT TODAY TO ACCESS ALL OFF-SHORE FORUMS✅

[New]Telegram Channel

In case our domain name changes, we advise you to subscribe to our new TG channel to always be aware of all events and updates -
https://t.me/rtmsechannel

OFF-SHORE Staff Announcement: 30% Bonus on ALL Wallet Deposit this week


For example, if you deposit $1000, your RTM Advertising Balance will be $1300 that can be used to purchase eligible products and service on forums or request withdrawal. The limit deposit to get the 30% bonus is $10,000 for a $3000 Marketplace wallet balance Bonus.

Deposit Now and claim 30% more balance ! - BTC/LTC/XMR


Always use a Mixer to keep Maximum anonimity ! - BTC to BTC or BTC to XMR

How to Hack a Server Using SSTI?

⚠️Always Remember to keep your identity safe by using a Zero-KYC Zero-AML like https://coinshift.money⚠️

Gold

Mr. Nick

Well-known Hacker
USDT(TRC-20)
$0.0
_teHGy7WBcw.jpg


Today I will tell you what Server-side template injection is in practice. I'll show you how to find this vulnerability and untwist it before executing the code on the server. You will also find out why the payments for this vulnerability on BugBounty go up to $ 10,000. It might seem like the vulnerability is difficult to exploit, but it is not. There are many details, but in general it is quite easy to find and promote. Well, what have you driven? Let's look at another interesting vulnerability.

What is server-side template injection?
Server-side template injection (SSTI) is a vulnerability injecting malicious code into a template and then executing it on the server side. Many sites use a variety of templates for a more stylish / dynamic display of pages, as well as for creating prepared responses for users.
For example, when you change your password, the following notification will be sent to the mail: "Username, your password has been changed." This is also a template, as this message is sent to all users, but only with a different username parameter. If a hacker using the template syntax was able to transfer the payload and it was executed on the server side, the application is vulnerable to SSTI.

The risk and consequences directly depend on the functionality of the engine. Sometimes SSTI allows you to execute arbitrary code on the server and gain full access on the server. Even if the engine has certain limitations and it is not possible to execute code on the server side, other attacks can be carried out using SSTI, which can lead to leakage of confidential information. Let's take a look at a specific example. For example, we have the functionality of an online store that duplicates the content of an order. Something like this:

"Hello <username>. Your order for <order_sum> has been placed. Expect delivery from 30.07."
The existing template changes the <username> and <order_sum> parameters for a specific user and order amount, respectively. And what will happen if you register a user with the nickname 5 * 5 or {{5 * 5}}. If the template is configured incorrectly, then at the next order we can see the following:

"Hello, 25. Your order in the amount of 1037 rubles has been placed. Expect delivery from 30.07."
Thus, we see the execution of the code in the <username> parameter on the server side via SSTI. Using a more specific example, I will show how you can unroll this vulnerability and get arbitrary code execution.

How do I find the SSTI?
We need to find the place where the data is returned in the response. This can be an online form, an order page, a profile, etc. After that, you need to try adding different SSTI payloads and get an error or code execution. If we get the answer as in the example, then we get the guaranteed SSTI.
Code:
User = Hello $ {7 * 7}
Hello 49
Errors can be thrown when the expression is not built correctly. This may also hint at SSTI. Something like this can be obtained from the Ruby ERB engine:
Code:
(erb): 1: in `<main> ': undefined local variable or method` foobar' for main: Object (NameError)
from /usr/lib/ruby/2.5.0/erb.rb:876:in `eval '
from /usr/lib/ruby/2.5.0/erb.rb:876:in `result '
from -e: 4: in `<main> '
Next, you need to determine what kind of engine is used among the existing templates FreeMarker, Velocity, Smarty, Twig, Twig (sandboxed) and Jade. There is a hint picture that allows you to determine the names of the template based on the results of execution. Here are the most popular options, in case there are any other errors, google to help.

Defining the engine template

Defining the engine template

Exploiting the real SSTI
Let's promote SSTI in practice. Let's imagine that we have an online store and when going to one of the pages, this is the request in the URL:
Code:
https://internetshop.com/?message=Object is not found
Then we try to pass the parameter and get the display of the result on the page.
Code:
Then SSTI appears on the page. Great, potentially we found an SSTI. You need to figure out what the template is and get the code execution on the server side. Next, we load the entire list of potential payloads and analyze the response. Automation can be done with BurpSuite Intruder. You can see the list of my payloads in the screenshot, the link has a more detailed list for all engines.

tIy_qW7w9pM.jpg


We get the answer that the payload <% = 7 * 7%> worked and the page displays the executed result 49. To check, you can insert our payload into the request and look at the page. The payload itself will be URL-encode encoded.
Code:
Next, we find that the payload "<% = 7 * 7%>" is the syntax of the ERB engine. We are looking for a payload to execute system commands:
Code:
<% = system ("cat / etc / passwd")%>
https://internetshop.com/?message=<%= system ("cat / etc / passwd")%>
Let's execute the URL-encode and our final payload will look like this:
Code:
https://internetshop.com/?message=<%= system("cat /et% 63% 2f% 70% 61% 73% 73% 77% 64% 22% 29% 20% 25% 3e
x2a-gcxzpWA.jpg

Contents of the / etc / passwd file

We got server side code executions through SSTI. The screenshot above shows the contents of the / etc / passwd file. Further, you can get a shell or read the contents of some other files. It all depends on the goals and objectives.

How much does BugBounty pay for SSTIs?
SSTIs are less common in BugBounty reports. The remuneration ranges from $ 1,000 to $ 10,000. Maximum payouts are assigned for Server-side template injection, which results in remote code execution. We will analyze these two examples in this article.

The first example was found in the bugbounty Uber program. The user with the nickname Orange changed his nickname on the uber.com website to {{'7' * 7}} and received "77777777" in an email. This suggests that the system is vulnerable to SSTI (Jinja2 template). The hacker received a $ 10,000 reward for this vulnerability.

iorTZbtwlWQ.jpg


QP9qe0nbOdA.jpg

BugBounty Uber Program

The second example was found in the Shopify program. Operation is much more difficult than the first example. The user tried to modify the standard send template and was able to get the template change and get more information. Such a find brought the hacker $ 10,000.

05VwULAdusc.jpg

BugBounty Shopify program

Conclusion
Server-side template injection is a fairly serious vulnerability. Through SSTI, you can get full control over the server, which we discussed today with specific examples. Template engines will continue to gain traction. Therefore, it will potentially be possible to meet even more reports from bugbounty platforms.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Friendly Disclaimer We do not host or store any files on our website except thread messages, most likely your DMCA content is being hosted on a third-party website and you need to contact them. Representatives of this site ("service") are not responsible for any content created by users and for accounts. The materials presented express only the opinions of their authors.
🚨 Do not get Ripped Off ! ⚖️ Deal with approved sellers or use RTM Escrow on Telegram
Gold
Mitalk.lat official Off Shore Club Chat


Gold

Panel Title #1

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Panel Title #2

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Top