A brief summary about a SSTI to RCE in Bagisto

This is a summary of a Server Side Template Injection vulnerability found and used as RCE.

The Beginning

Sometimes, when a Red Team exercise is very hard, I look at things to unwind .

One given day, I was talking to my friend cupc4k3 about life. He told me that he had just set up a server for an eCommerce platform called Bagisto. I was curious and decided to take a closer look at Bagisto version : 1.5.1.

The Functionality

When I looked, I could see the Pages functionality. It is possible to create and customize pages of e-commerce, it looked interesting.

The Pages functionality

As you can see in the next image, there is the possibility of placing a snippet of HTML code on the page, looking at it, I immediately remember XSS vulnerabilities.

The feature to write HTML code

I was right about that, but something told me that I should look deeper, if this were a real red team engagement, the XSS would be an unreliable vector for further impact due to time constraints to make the most out of it.

The XSS vulnerability

The Vulnerability

I continued to analyze the functionality, then when inserted {{7*7}}, in response, the number 49 is visible. A Server Side Template Injection (SSTI) was confirmed.

The SSTI is a vulnerability that allows injecting a native template content such as a payload and this is executed in the server, that is, that old problem of concatenating the input directly. With the vulnerability confirmed, we went into a probe of impact, and to our surprise, the first RCE payload test was legitimate. We knew it was a framework made in PHP which made it a lot easier.

To test, we used a known payload for RCE, reading the /etc/passwd file as shown in the image below

The payload to trigger RCE on SSTI

In the preview moment, I can see the file passwd content. Now I have a nice impact for a Red Team engagement, a vector of initial access to the network (of course that depends on where the application is stored). But, this would be a cool beginning.

Result of command injected

It’s important to note that through this vulnerability an attacker can execute commands on the application’s server, allowing access to files on it, such as ones with database credentials, API credentials and others.

If this is hosted at a cloud provider, an attacker may try to read the instance’s metadata, extending the impact beyond that of a simple CMS admin user compromise.

The Report

When reporting to the vendor, they did not recognize it as a valid impact, according to them, there is no impact of gaining local user access to the machine, if you already are an admin user on the dashboard. Therefore, I decided to write this brief about the vulnerability, to not lose the tread, I registered the CVE-2023–33570 number.

This is simple, but I hope you enjoyed it… Thanks to review Mr. Bug_Art