Free Link 🎈
Hey there!😁
Life Lesson #42: When life gives you templates, don’t render them blindly — unless you want your server to get shell-shocked.
One moment I was sipping chai thinking about why my life is still single. The next moment, I was inside a production server through a template input field. 🧃💻
And they say frontend is safe. LOL.
Like every good hacker story, this one starts with mass recon. I was scanning a large application for subdomains and endpoints when I stumbled across something strange:
subdomain: templates.companyname.com
endpoint: /preview?template=invoice
Hmm… That caught my eye. The /preview?template=
endpoint was rendering different invoice previews dynamically, and the content seemed to reflect part of the input.
I sent this payload:
/preview?template={{7*7}}
And the rendered page showed:
49
💥 Boom! Welcome to SSTI (Server-Side Template Injection) land!