Server-side Template Injection Leading to RCE on Google VRP
I collected a comprehensive list of subdomains associated with Google’s infrastructure using various subdomain enumeration tools such as Amass, Subfinder,OneForAll. I inspected each subdomain manually, and only unique subdomains were considered for further analysis.Unfortunately, no significant findings were initially identified.
After exhausting the initial subdomain enumeration methods, I recollected the availability of a valuable tool hakrawler, a rapid web crawler designed to search for assets and endpoints and with renewed enthusiasm, I proceeded to employ hakrawler to conduct a comprehensive analysis of the previously collected subdomains.
To initiate the process, I ran the hakrawler command, utilizing the following syntax: "cat subdomain.txt | hakrawler >> urls.txt"
Once the crawling and extraction process was complete, I grepped all the subdomains from urls.txt file and successfully filtered out any previously identified subdomains, focusing solely on the new and previously undiscovered ones.
Subsequently, I proceeded to intercept one of the subdomains obtained through hakrawler and this particular URL "https://eduexams.withgoogle.com/api/trans/en" captured my attention.Within the Burp Suite, I examined the intercepted HTTP requests while scrutinizing the parameters, my attention turned towards the post parameter "segment".POST parameter "segment" was set to "{{7*7}}". Upon sending the request and examining the response, I discovered that the server had evaluated the expression, resulting in the response containing the value "49". This finding piqued my curiosity as it hinted towards the presence of a potential vulnerability, a template injection.
To escalate the identified template injection vulnerability to RCE, I turned to external resources for guidance. In my pursuit of knowledge, I searched for "RCE Template Injection" on twitter. During my search, I came across a tweet by a renowned ethical hacker named “MorningStar”, which caught my attention.
Intrigued by the tweet, I proceeded to read MorningStar’s associated write-up, hoping to gain insights into potential payloads and techniques for achieving RCE through template injection. Drawing from the knowledge I acquired, I decided to utilize the payload mentioned in the write-up : {{[].__class__.__base__.__subclasses__().pop(40)(’/etc/passwd’).read()}}
With a mix of anticipation and excitement, I executed the payload within the vulnerable "segment" parameter.I received a response from the server, confirming the successful execution of the code. This breakthrough evoked a tremendous sense of excitement 😊😊
After discovering the vulnerability and successfully executing the RCE payload, I promptly reported the bug to the Google Vulnerability Reward Program (VRP) team. In a timely manner, I received a response from them acknowledging the submission 😇😇