Lab: Server-side template injection using documentation

You should try solving this lab using only the documentation. However, if you get really stuck, you can try finding a well-known exploit by @albinowax that you can use to solve the lab.

1. Log in and edit one of the product description templates. Notice that this template engine uses the syntax ${someExpression} to render the result of an expression on the page. Either enter your own expression or change one of the existing ones to refer to an object that doesn't exist, such as ${foobar}, and save the template. The error message in the output shows that the Freemarker template engine is being used.
2. Study the Freemarker documentation and find that appendix contains an FAQs section with the question "Can I allow users to upload templates and what are the security implications?". The answer describes how the new() built-in can be dangerous.
3. Go to the "Built-in reference" section of the documentation and find the entry for new(). This entry further describes how new() is a security concern because it can be used to create arbitrary Java objects that implement the TemplateModel interface.
4. Load the JavaDoc for the TemplateModel class, and review the list of "All Known Implementing Classes".
5. Observe that there is a class called Execute, which can be used to execute arbitrary shell commands

6. Either attempt to construct your own exploit, or find @albinowax's exploit on our research page and adapt it as follows:

   <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
7. Remove the invalid syntax that you entered earlier, and insert your new payload into the template.
8. Save the template and view the product page to solve the lab.

Garr_7