Server-side template injection using documentation

Description

This lab is vulnerable to server-side template injection. To solve the lab, identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory.

Reproduction and proof of concept

  1. Log in with content-manager:C0nt3ntM4n4g3r and edit one of the product description templates. Notice that this template engine uses the syntax ${someExpression} to render the result of an expression on the page. Either enter your own expression or change one of the existing ones to refer to an object that doesn’t exist, such as ${hackingit}, and save the template. The error message in the output shows that the Freemarker template engine is being used.

Test FreeMarker template error (DEBUG mode; use RETHROW in production!): The following has evaluated to null or missing: ==> hackinit [in template "freemarker" at line 6, column 11] ...
  1. Study the Freemarker documentation and find that appendix contains an FAQs section with the question Can I allow users to upload templates and what are the security implications?. The answer describes how the new() built-in can be dangerous.

  2. Go to the “Built-in reference” section of the documentation and find the entry for new(). This entry further describes how new() is a security concern because it can be used to create arbitrary Java objects that implement the TemplateModel interface.

  3. Load the JavaDoc for the TemplateModel class, and review the list of All Known Implementing Classes.

  4. Observe that there is a class called Execute, which can be used to execute arbitrary shell commands.

  5. Either attempt to construct your own exploit, or use @albinowax’s exploit and adapt it as follows:

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
  1. Remove the invalid syntax that you entered earlier, and insert your new payload into the template.

  2. Save the template to solve the lab.

Exploitability

An attacker will need to identify the template engine and use the documentation to work out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. An account is available: content-manager:C0nt3ntM4n4g3r.