Twig Server Side Template Injection

Twig versions prior to 2.4.4 suffer from a server-side template injection vulnerability.

MD5 | f8c2f2e2c464c7a35f871f4ab21a5af4

Vulnerability details:
# Exploit Title: Twig <2.4.4 Server side template injection
# Date: 02/15/2018
# Exploit Author: JameelNabbo
# Author website:
# Vendor Homepage:
# Software Link:
# Version: < 2.4.4
# Tested on: MAC OSX

Twig is a modern php template engine which compile templates down to plain optimized PHP code, Twig <2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values aNormal integer or normal string", depends on the vulnerable application, which takes deferent params by GET or POST.

Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} <http://localhost/search?search_key=%7B%7B4*4%7D%7D> Output: 16

2. POC:

OUTPUT: list of files/directories etca|.

Related Posts