-
Notifications
You must be signed in to change notification settings - Fork 24.1k
/
Copy pathtemplate-engines-special-vars.txt
78 lines (78 loc) · 2.87 KB
/
template-engines-special-vars.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# The objective of this dictionary is to help to discover the template engine used
# once a evaluation of a template expression was detected via the following dictionary:
# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt
# Special variables are grouped by template engine in order to facilitate the identification.
# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example.
#
# Indicate to your fuzzer to ignore a line starting with: "# " (space is important)
# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt
#
# Sources:
# https://portswigger.net/research/server-side-template-injection
# https://github.com/epinna/tplmap
# Custom personal labs
#
# GENERIC: To cause an error and perhaps get technical information
1/0
# FREEMARKER (JAVA)
# https://freemarker.apache.org/docs/ref_specvar.html
.version
.current_template_name
.locale_object
# JINJA2 (PYTHON)
# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
# https://stackoverflow.com/a/40346872/451455
self._TemplateReference__context
# DJANGO (PYTHON)
# https://docs.djangoproject.com/en/3.1/ref/settings/
settings
settings.DEBUG
settings.DATABASES
settings.SECRET_KEY
# PUG (NODEJS)
# https://pugjs.org
# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties
# Self object is available if the "self" options is set to true
self
# Payload below are more NodeJS related
locals
global
# ERB (RUBY)
# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html
ERB.version()
# TORNADO (PYTHON)
# https://www.tornadoweb.org/en/stable/template.html
# Presence of variables with a name starting with "_tt_" indicate usage of Tornado
locals()
globals()
# TWIG (PHP)
# https://twig.symfony.com/doc/3.x/
_self
_self.getTemplateName().__toString
_context
_context|length
_context|keys|first
constant('Twig_Environment::VERSION')
constant('Twig_Environment::VERSION_ID')
constant('Twig_Environment::EXTRA_VERSION')
# VELOCITY (JAVA)
# http://velocity.apache.org/tools/devel/generic.html
$context.keys
$context.TOOLS_VERSION
$field.in("org.apache.velocity.runtime.VelocityEngineVersion")
$field.in("org.apache.velocity.runtime.RuntimeConstants")
# THYMELEAF (JAVA)
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info
#execInfo
#execInfo.templateStack
#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
execInfo
execInfo.templateStack
execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
# SMARTY (PHP)
# https://www.smarty.net/docs/en/language.syntax.variables.tpl
# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config
$smarty.version
$smarty.config
$smarty.template