📓Vuln notes

File Inclusion Vulnerability

Dynamic websites include HTML pages on the fly using information from the HTTP request to include GET and POST parameters, cookies, and other variables. It is common for a page to "include" another page based on some of these parameters.

LFI or Local File Inclusion occurs when an attacker is able to get a website to include a file that was not intended to be an option for this application. A common example is when an application uses the path to a file as input. If the application treats this input as trusted, and the required sanitary checks are not performed on this input, then the attacker can exploit it by using the ../ string in the inputted file name and eventually view sensitive files in the local file system. In some limited cases, an LFI can lead to code execution as well.
RFI or Remote File Inclusion is similar to LFI but in this case it is possible for an attacker to load a remote file on the host using protocols like HTTP, FTP etc.
An example of LFI: is ?page=../../../../../../../../windows/system32/drivers/etc/hosts
An example of RFI: is ?page=//10.10.14.6/somefile
The file inclusion can be made possible because in the backend we can have a include() method of PHP being used to process the URL parameter page for serving a different webpage for different languages. And because no proper sanitization is being done on this page parameter, we were able to pass malicious input and therefore view the internal system files.

Server Side Template Injection(SSTI)

Server-side template injection is a vulnerability where the attacker injects malicious input into a template in order to execute commands on the server.
To put it plainly an SSTI is an exploitation technique where the attacker injects native (to the Template Engine) code into a web page. The code is then run via the Template Engine and the attacker gains code execution on the affected server.
This attack is very common on Node.js websites and there is a good possibility that a Template Engine is being used to reflect the email that the user inputs in the contact field.
In order to exploit a potential SSTI vulnerability we will need to first confirm its existence. After researching for common SSTI payloads on Google, we find this Hacktricks article that showcases exploitation techniques for various different template engines. The following image shows how to identify if an SSTI vulnerability exists and how to find out which Template engine is being used. Once the engine is identified a more specific payload can be crafted to allow for remote code execution.

The Identify paragraph in the Hacktricks page shows a variety of special characters commonly used in template expressions

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Some of these payloads can also be seen in the previous image and are used to identify SSTI vulnerabilities. If an SSTI exists, after submitting one of them, the web server will detect these expressions as valid code and attempt to execute them, in this instance calculating the mathematical equation 7*7 (Seven multiplied by Seven), which is equal to 49.
Once we create an error or we get a peculiar result we can try to identify the technology that is being used to generate the template, the template engine itself.
References:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#identify
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md

PreviousServices Pentest Notes NextMy Pentest Tools

Last updated 1 year ago