webProeasy

Lab 243 — VendorNest — SSTI in Product Descriptions via Blade Template Engine

hackadvisor

Task: Multi-vendor marketplace (PHP/Blade) where sellers can create products with rich descriptions rendered through a Blade template engine. Solution: Injected @php directive into product description to achieve SSTI → RCE, bypassed decoy flags, read /root/flag.txt.

$ ls tags/ techniques/

docker rce php ssti marketplace nginx shell_exec template_injection decoy_flag blade product_description

decoy_flag_recognitionssti_blade_php_directiverce_via_php_directiveshell_exec_command_execution

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]DocuNest— hackadvisor
[web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
[web][Pro]Lab 328 — DataNest — NoSQL Operator Injection in Authentication— hackadvisor
[web][Pro]Lab 135 — PageCraft — SSTI in CMS Page Editor— hackadvisor
[web][Pro]PageCraft — SSTI via Twig Template Engine in Post Content— hackadvisor