Server-side template injection with information disclosure via user-supplied objects
Description
This lab is vulnerable to server-side template injection due to the way an object is being passed into the template. This vulnerability can be exploited to access sensitive data.
Reproduction and proof of concept
Log in with
content-manager:C0nt3ntM4n4g3rand edit one of the product description templates.Change one of the template expressions to something invalid, such as a fuzz string
${{<%[%'"}}%\, and save the template.
Internal Server Error
Traceback (most recent call last): File "<string>", line 11, in <module> File "/usr/local/lib/python2.7/dist-packages/django/template/base.py", line 191,...
The error message in the output hints that the Django framework is being used.
Study the Django documentation and notice that the built-in template tag debug can be called to display debugging information.
In the template, remove your invalid syntax and enter the following statement to invoke the
debugbuilt-in:
{% debug %}
Save the template. The output will contain a list of objects and properties to which you have access from within this template. Crucially, notice that you can access the
settingsobject.
{'product': {'name': 'Pest Control Umbrella', 'price': '$48.16', 'stock': 80}, 'settings': } ... 'django.conf.global_settings': , ... }
Study the
settingsobject in the Django documentation and notice that it contains a SECRET_KEY property, which has dangerous security implications if known to an attacker.In the template, remove the
{% debug %}statement and enter the expression
{{settings.SECRET_KEY}}
Results:
ldbmb3c6b13x7kxiat3msfe92ycg761d
Save the template to output the framework’s secret key.
Click the “Submit solution” button and submit the secret key to solve the lab.
Exploitability
An attacker will need to steal and submit the framework’s secret key.