Server-Side Template Injection Writeups

Uber - Template Injection Python RCE

Uber disclosed on HackerOne: uber.com may RCE by Flask Jinja2...HackerOne

Personal Blog Post:

Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template InjectionOrange Tsai

Orange Tsai discovered a Template Injection on rider.uber.com domain. Changing user name to the payload {{ '7'*7 }} will return the value '7777777'in the followup email "Your Uber account information has been updated" notification.

Email notification with the executed template injection payload showing execution on the backend server

//Payloads used 
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}

WordPress - XSS

WordPress disclosed on HackerOne: Stored xss via template injectionHackerOne

The billing_first_name body parameter on the POST /wp-admin/admin-ajax.php route is vulnerable to Template Injection which allows Stored XSS on the account page.

HTTP POST request with Template Injection payload in the billing_first_name body parameter

The Stored XSS is returned on the accounts page https://mercantile.wordpress.org/my_account:

Stored XSS Alert payload executed on the account page

Unikrn - Smarty Template

Unikrn disclosed on HackerOne: Urgent: Server side template...HackerOne

Researcher discovered on of the fields on the user invite page was vulnerable to Template Injection. Upon entering {7*7} into all the fields for registration a verbose error message is returned in the email message notification, revealing a Smarty Template engine message.

Email response for user invite with {7*7} entered as payload

Further exploited using a php payload to extract the /etc/passwd file:

{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}

Contents of /etc/passwd file returned in noreply email