# Server-Side Template Injection Writeups

### Uber - Template Injection Python RCE 

{% embed url="<https://hackerone.com/reports/125980>" %}

Personal Blog Post:

{% embed url="<http://blog.orange.tw/2016/04/bug-bounty-uber-ubercom-remote-code_7.html>" %}

Orange Tsai discovered a Template Injection on rider.uber.com domain. Changing user name to the payload `{{ '7'*7 }}` will return the value `'7777777'`in the followup email "Your Uber account information has been updated" notification.&#x20;

![Email notification with the executed template injection payload showing execution on the backend server](/files/-MOxT48cPts-BRWkblrz)

```
//Payloads used 
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}
```

### WordPress - XSS&#x20;

{% embed url="<https://hackerone.com/reports/250837>" %}

The billing\_first\_name body parameter on the POST /wp-admin/admin-ajax.php route is vulnerable to Template Injection which allows Stored XSS on the account page.&#x20;

![HTTP POST request with Template Injection payload in the billing\_first\_name body parameter](/files/-MOxOwmzg_OQxYdOKZ_q)

The Stored XSS is returned on the accounts page <https://mercantile.wordpress.org/my\\_account>:

![Stored XSS Alert payload executed on the account page](/files/-MOxQWerqWf8EHZw6rFJ)

### Unikrn - Smarty Template&#x20;

{% embed url="<https://hackerone.com/reports/164224>" %}

Researcher discovered on of the fields on the user invite page was vulnerable to Template Injection. Upon entering {7\*7} into all the fields for registration a verbose error message is returned in the email message notification, revealing a Smarty Template engine message.&#x20;

![Email response for user invite with {7\*7} entered as payload ](/files/-MOxMJEtcj6dt9H-TUcN)

Further exploited using a php payload to extract the /etc/passwd file:&#x20;

```
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
```

![Contents of /etc/passwd file returned in noreply email ](/files/-MOxN_LeoNj3gpQ_xhy0)

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://evanluke.gitbook.io/appsec/injection/template-injection/template-injection-examples.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.