Template Trouble: How I Exploited a Logic Bug in a Templating Engine for RCE
文章描述了一次通过服务器端模板注入(SSTI)攻击进入生产服务器的经历。攻击者利用模板输入字段注入恶意代码,在渲染页面时获得服务器控制权。事件揭示了即使看似安全的前端也存在潜在风险。 2025-5-20 04:38:2 Author: infosecwriteups.com(查看原文) 阅读量:7 收藏

Iski

Free Link 🎈

Hey there!😁

Image generated by Copilot AI

Life Lesson #42: When life gives you templates, don’t render them blindly — unless you want your server to get shell-shocked.

One moment I was sipping chai thinking about why my life is still single. The next moment, I was inside a production server through a template input field. 🧃💻

And they say frontend is safe. LOL.

Like every good hacker story, this one starts with mass recon. I was scanning a large application for subdomains and endpoints when I stumbled across something strange:

subdomain: templates.companyname.com
endpoint: /preview?template=invoice

Hmm… That caught my eye. The /preview?template= endpoint was rendering different invoice previews dynamically, and the content seemed to reflect part of the input.

I sent this payload:

/preview?template={{7*7}}

And the rendered page showed:

49

💥 Boom! Welcome to SSTI (Server-Side Template Injection) land!


文章来源: https://infosecwriteups.com/template-trouble-how-i-exploited-a-logic-bug-in-a-templating-engine-for-rce-0f691b9f7102?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh