Limitations are just an illusion - advanced server-side template exploitation with RCE everywhere

This article explains some novel techniques for exploiting server-side template injections (SSTIs) with complex, unique payloads that leverage default methods and syntax from various template engines. Even better, we will show how to do so without needing any quotation marks or extra plugins within the templates. All server-side template injection payloads detailed below can achieve remote code execution (RCE) on the target applications.

You can find the full research on YesWeHack’s blog page

If you are intressted in the payloads mentioned in the article you can find them at the payload page!