SSTI to RCE via CSRF Token

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection. Read More...

Step by Step

First access the vulnrable web, then click the Cookie Editor icon to edit the cookie. If there is a CSRF Token, try to delete the value containing the CSRF Token and replace it with a command like this.

Command : {{5*5)}}

If the output is 25 then the parameter is vulnerable to SSTI attacks.

Remote Code Execution

Edit the value of the CSRF-TOKEN parameter again
Command : {{system('uname -a')}}

Then save and refresh the page. Seen no difference or change? try view source (CTRL+U). So if vuln the result will be like this.

If the picture above is not clear, here is the snippet where the command is executed.

<input type=”hidden” name=”csrf-token” value=”Linux ip-172–31–46–31 4.15.0–1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux"/>

Now try to read the contents of /etc/passwd with the command {{system('cat /etc/passwd')}} 

If using the system function and the command doesn't work, try using another function like shell_exec, exec, passthru. Because it's not necessarily not a vuln, who knows only the function is disabled.

Read Also