Twig 漏洞列表

Twig, a PHP template engine, posed significant challenges in crafting a working payload due to its built-in and default configurations, particularly in string creation. However, by utilizing the block feature and the built-in _charset variable, Attacker successfully developed a payload by nesting these elements together.

A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.

Sensio Labs Twig是法国Sensio Labs公司的一个PHP模板引擎，它允许开发人员自定义标签和过滤器，并创建DSL。 Sensio Labs Twig 1.20.0之前版本的Template.php文件中的‘displayBlock’函数存在安全漏洞。当程序启用Sandbox模式时，远程攻击者可借助模板中的‘_self’变量利用该漏洞执行任意代码。