From 3e68276fb7c3db79b78fe3e67e08f23a48b3e9e6 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Wed, 21 Sep 2022 11:28:57 +0200
Subject: [PATCH] add 3 template engines + add lang in menu
---
Server Side Template Injection/README.md | 143 +++++++++++++++++++++--
1 file changed, 133 insertions(+), 10 deletions(-)
diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index c911119..4aeb0ab 100644
--- a/Server Side Template Injection/README.md
+++ b/Server Side Template Injection/README.md
@@ -15,7 +15,7 @@
- [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
- [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
- [Expression Language EL - Code Execution](#expression-language-el---code-execution)
- - [Freemarker](#freemarker)
+ - [Java - Freemarker](#freemarker)
- [Freemarker - Basic injection](#freemarker---basic-injection)
- [Freemarker - Read File](#freemarker---read-file)
- [Freemarker - Code execution](#freemarker---code-execution)
@@ -26,7 +26,7 @@
- [Groovy - HTTP request:](#groovy---http-request)
- [Groovy - Command Execution](#groovy---command-execution)
- [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
- - [Handlebars](#handlebars)
+ - [JavaScript - Handlebars](#handlebars)
- [Handlebars - Command Execution](#handlebars---command-execution)
- [Jade / Codepen](#jade--codepen)
- [Java](#java)
@@ -34,7 +34,7 @@
- [Java - Retrieve the system’s environment variables](#java---retrieve-the-systems-environment-variables)
- [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
- [Django Template](#django-template)
- - [Jinja2](#jinja2)
+ - [Python - Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format)
- [Jinja2 - Debug Statement](#jinja2---debug-statement)
@@ -48,16 +48,16 @@
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
- [Jinja2 - Filter bypass](#jinja2---filter-bypass)
- - [Jinjava](#jinjava)
+ - [Java - Jinjava](#jinjava)
- [Jinjava - Basic injection](#jinjava---basic-injection)
- [Jinjava - Command execution](#jinjava---command-execution)
- - [Lessjs](#lessjs)
+ - [JavaScript - Lessjs](#lessjs)
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
- [Plugins](#plugins)
- - [Mako](#mako)
+ - [Python - Mako](#mako)
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
- - [Pebble](#pebble)
+ - [Java - Pebble](#pebble)
- [Pebble - Basic injection](#pebble---basic-injection)
- [Pebble - Code execution](#pebble---code-execution)
- [Ruby](#ruby)
@@ -65,13 +65,16 @@
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
- [Ruby - List files and directories](#ruby---list-files-and-directories)
- [Ruby - Code execution](#ruby---code-execution)
- - [Smarty](#smarty)
- - [Twig](#twig)
+ - [PHP - Smarty](#smarty)
+ - [PHP - Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution)
- - [Velocity](#velocity)
+ - [Java - Velocity](#velocity)
+ - [PHP - patTemplate](#pattemplate)
+ - [PHP - PHPlib](#phplib-and-html_template_phplib)
+ - [PHP - Plates](#plates)
- [References](#references)
## Tools
@@ -945,6 +948,126 @@ $str.valueOf($chr.toChars($out.read()))
---
+## patTemplate
+
+> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts
+
+```xml
+
+ This is the main page.
+
+ It contains another template.
+
+
+ Hello {NAME}.
+
+
+```
+
+---
+
+## PHPlib and HTML_Template_PHPLIB
+
+[HTML_Template_PHPLIB](https://github.com/pear/HTML_Template_PHPLIB) is the same as PHPlib but ported to Pear.
+
+`authors.tpl`
+
+```html
+
+ {PAGE_TITLE}
+
+
+ Authors
+
+ | Name | Email |
|---|
+
+
+ | {NUM_AUTHORS} |
+
+
+
+ | {AUTHOR_NAME} | {AUTHOR_EMAIL} |
+
+
+
+
+
+```
+
+`authors.php`
+
+```php
+ 'cweiske@php.net',
+ 'Bjoern Schotte' => 'schotte@mayflower.de'
+);
+
+require_once 'HTML/Template/PHPLIB.php';
+//create template object
+$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
+//load file
+$t->setFile('authors', 'authors.tpl');
+//set block
+$t->setBlock('authors', 'authorline', 'authorline_ref');
+
+//set some variables
+$t->setVar('NUM_AUTHORS', count($authors));
+$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
+
+//display the authors
+foreach ($authors as $name => $email) {
+ $t->setVar('AUTHOR_NAME', $name);
+ $t->setVar('AUTHOR_EMAIL', $email);
+ $t->parse('authorline_ref', 'authorline', true);
+}
+
+//finish and echo
+echo $t->finish($t->parse('OUT', 'authors'));
+?>
+```
+
+---
+
+## Plates
+
+Plates is inspired by Twig but a native PHP template engine instead of a compiled template engine.
+
+controller:
+
+```php
+// Create new Plates instance
+$templates = new League\Plates\Engine('/path/to/templates');
+
+// Render a template
+echo $templates->render('profile', ['name' => 'Jonathan']);
+```
+
+page template:
+
+```php
+layout('template', ['title' => 'User Profile']) ?>
+
+User Profile
+Hello, e($name)?>
+```
+
+layout template:
+
+```php
+
+
+ <?=$this->e($title)?>
+
+
+ section('content')?>
+
+
+```
+
+---
+
## References
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)