Burp Suite User Forum

Login to post

Lab: Server-side Template Injection in an unknown language with a documented exploit (unintended?)

Low | Last updated: May 04, 2021 06:57AM UTC

Hi, I used a payload from this web https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs and it still considered that I completed the challenge even though I did not execute rm /home/carlos/morale.txt. Was thinking if this is considered unintended and should be corrected?

Hannah, PortSwigger Agent | Last updated: May 04, 2021 09:31AM UTC

Hi As part of your unintended solution, did you delete the morale.txt file? Did you just execute the "whoami" command that is currently part of the payload linked?

You need to Log in to post a reply. Or register here, for free.