From ZAP, I found the hidden directory composer.lock. From there, I found out that the application uses Twig v2.14.0:
Basic fuzzing:
In an attempt to discover more directories, I decided to perform a directory discovery using gobuster. I included common extensions such as .php, .lock and .json.
Interesting file found: composer.json . The content of the file confirms the presence of Twig:
Source code review
I found the following comments at the bottom of the source code of the / page:
After navigating to the mail.log file, I found the following note:
From this note, we can understand that default credentials will be added to the users table in the event that it gets corrupted or deleted. Hmm, this seems to give us a hint that we need to somehow alter or drop this table.
Exploring the application
(1) Normal user login
Using the GUI to test the payload ' returns an error message. Looking at the sources, I found a file script.js that works to block a few keywords. Thus, I used Burp suite to send the API request directly to the server instead.
script.js:
Possible SQL query:
Injection to username POST field:
This works with space in between the items too:
' || 1=1; --
Further learning
To explore what other injection methods can be used, I utilized Sqlmap:
login.txt contains the HTTP POST request from above
I found that the following payload to the username field works too:
After the successful injection on the login form, we are able to view the dashboard page, which presents us with a method to edit the leader board table:
Possible SQL query:
Injection 1
Injection to the gold field:
This action will update the gold, silver and bronze field to 22 for every country. With that, we know that the SQL injection worked!
Injection 2
Now that we have confirmed that we can perform an SQL injection attack, we can attempt to drop the user table again.
When we navigate back to the GUI, we are presented with a note that the database is down.Success!
SSTI injection on the admin profile page
The following displays the request to update the admin profile page (Burp suite):
Upon updating the fname field, it appears that the value is reflected on the profile page.
Twig SSTI injection
Identifying vulnerability to SSTI
Using the simple test value of {{7*7}} shows the value 49 displayed. This shows that the application is vulnerable.
From the composer.json file, we know that the application uses Twig as the server-side template engine.
I tried a few payloads I have found from multiple sources (refer to references below):
$ gobuster dir -u http://<target> -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -x php,json,lock
From: dev@injectics.thm
To: superadmin@injectics.thm
Subject: Update before holidays
Hey,
Before heading off on holidays, I wanted to update you on the latest changes to the website. I have implemented several enhancements and enabled a special service called Injectics. This service continuously monitors the database to ensure it remains in a stable state.
To add an extra layer of safety, I have configured the service to automatically insert default credentials into the `users` table if it is ever deleted or becomes corrupted. This ensures that we always have a way to access the system and perform necessary maintenance. I have scheduled the service to run every minute.
Here are the default credentials that will be added:
| Email | Password |
|---------------------------|-------------------------|
| superadmin@injectics.thm | superSecurePasswd101 |
| dev@injectics.thm | devPasswd123 |
Please let me know if there are any further updates or changes needed.
Best regards,
Dev Team
dev@injectics.thm
