BugBountyNotes Forum » Bug Help » Browsing Topic

Server side template injection(?), and how to confirm it?
Posted in Bug Help by @katsuragicsl



Hello, I just found a site of a private bug bounty program seems to be vulnerable to SSTI. I think it is Twig but I could not find a way to confirm it and test it by reverse shell (since I don't have a public IP. Or should I set up a server?) Injection point: example.com?param=payload Test cases: param={{7 asterisk 7}} return {{7 asterisk 7}} param={{7 asterisk '7'}} web app crashed, everthing popped up and were showing like "xx.name", "yy.value" param={{7 asterisk '7}} web app crashed similar to above param={{7 asterisk 7'}} return 22 (what the hell......I am very interested) param={{7 asterisk 8'}} return 2 (what the hell again) param={{7 asterisk 8 asterisk 1'}} return 2 param={{7 asterisk 8 asterisk 2'}} return 4 (something must happened. But how can I confirm it and prove it to the bounty program holder?) Thanks a lot! I would mention anyone giving me an inspiring answer if my report is going to be accepted.

Posted on 2018-12-01
Edited on 2018-12-01 at 05:27:20pm (GMT)



This may be of help https://www.youtube.com/watch?v=3cT0uE7Y87s

Posted on 2018-12-02 at 12:36:57am (GMT)