search

vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface
GNU General Public License v3.0
699 stars 87 forks source link

Handlebars issues. #13

Open sectroyer opened 1 year ago

sectroyer commented 1 year ago

I was testing SSTImap with PortSwiggers Server-side template injection in an unknown language with a documented exploit (https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit) lab and noticed some issues. First of all Handlebars engine was detected as Dust but it might because both are nodejs based. Second issue there was no cmd/shell support for this plugin. I tried using tpl-shell but only got some exception.

vladko312 commented 1 year ago

Handlebars is not supported by SSTImap yet, so it can cause incorrect detections. tpl-shell might work, if you write Handlebars code in it according to the detected context. I will probably add Handlebars soon, but I need to do some research for that.