Zero Day Twig PHP template engine

Twig is a modern template engine for PHP, its flexible, fast, and secure template engine for PHP.If you have any exposure to other text-based template languages, such as Smarty, Django, or Jinja, you should feel right at home with Twig. It’s both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

ExploitDB link:

Well, Twig {Latest version} is affected to Server-Side Template Injection and {{Command execution}}.


Twig <=2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string”, depends on the vulnerable application, which takes deferent params by GET or POST.


Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} >        Output: 16

2. POC:



OUTPUT: list of files/directories etc….

See the screenshot bellow how its executing the command and printing out the results, this could be also {{ rm * }} which will delete the entire application 🙂

Leave a comment

Your email address will not be published. Required fields are marked *