36 lines
810 B
YAML
36 lines
810 B
YAML
id: xpl-ssti-twig
|
|
info:
|
|
name: "Server-Side Template Injection (Twig/PHP)"
|
|
author: imtaqin
|
|
severity: critical
|
|
description: |
|
|
Twig SSTI via upper() filter on a unique marker. Confirms only when
|
|
the unique uppercase value is reflected AND the raw {{ }} payload
|
|
is NOT echoed back.
|
|
tags:
|
|
- ssti
|
|
- rce
|
|
- php
|
|
- twig
|
|
|
|
http:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/"
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
body: "name=xplZZZ{{'xplmarker'|upper}}ssti"
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status: [200, 201]
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "xplZZZXPLMARKERssti"
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "{{'xplmarker'|upper}}"
|
|
negative: true
|