Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to find SMARTY vuln on TryHackMe Server-Side Template Injection Extra-Mile Challenge #45

Closed
91kinks opened this issue Nov 30, 2024 · 2 comments
Closed

Failed to find SMARTY vuln on TryHackMe Server-Side Template Injection Extra-Mile Challenge #45

91kinks opened this issue Nov 30, 2024 · 2 comments
Labels
bug Something isn't working question Further information is requested

Comments

@91kinks
Copy link

91kinks commented Nov 30, 2024
edited
Loading

The room is located here: https://tryhackme.com/r/room/serversidetemplateinjection

I may have a syntax error as well, but here is the code I used

python3 sstimap.py --method POST -u 'http://ssti.thm:8080/admin/forms/edit/index.php?page=views&group_name_6=%7B%7B7*7&update_views=Update&view_list_sortable__rows=6%7C2&view_list_sortable__new_groups=2&view_list_sortable__deleted_rows=' -C 'PHPSESSID=fc58035f6c36a8a4416bb881d3a295b7' -e SMARTY

It recognized the correct field (group_name_6) to inject the payloads but it would not return the confirmed injection point. I double-checked with curl to verify that I could receive a response from the webpage. After about four hours of troubleshooting I landed here.

here's the curl code i used to double-check the cookie and parameters were not the issue:

curl 'http://ssti.thm:8080/admin/forms/edit/index.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://ssti.thm:8080' -H 'Connection: keep-alive' -H 'Referer: http://ssti.thm:8080/admin/forms/edit/index.php' -H 'Cookie: PHPSESSID=fc58035f6c36a8a4416bb881d3a295b7' -H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i' --data-raw 'page=views&group_name_6=%7B%7B7*7%7D%7D&update_views=Update&view_list_sortable__rows=6%7C2&view_list_sortable__new_groups=2&view_list_sortable__deleted_rows=' --compressed --output ssti.txt

Also I verified that }*{ broke the page.

Anyway, thanks for the tool! It worked great in the practice room.
@vladko312
Copy link
Owner

Have you tried using group_name_6=* instead of group_name_6=%7B%7B7*7? In SSTImap, * is an injection marker, so SSTImap attempts to insert payloads into the value, but your value creates invalid Smarty syntax (tag is opened but not closed)

@vladko312 vladko312 added bug Something isn't working question Further information is requested labels Nov 30, 2024
@91kinks
Copy link
Author

91kinks commented Nov 30, 2024

wow, no i didn't try that. that fixed the issue. thanks for the help!

@91kinks 91kinks closed this as completed Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladko312 @91kinks