Final decoded literal path:
-template-../../../../root/
Assume a vulnerable PHP or Node.js code pattern:
$template = $_GET['template'];
include("/var/www/templates/" . $template . ".php");
If the developer decodes -2F to / but doesn’t sanitize .., the request:
?template=-template-..-2F..-2F..-2F..-2Froot-2Fsecret.txt
→ becomes: /var/www/templates/-template-../../../../root/secret.txt
A secure normalizer would resolve the real path:
Likely attacker goal: Read system files like /root/.bash_history, /root/.ssh/id_rsa, or /etc/shadow. -template-..-2F..-2F..-2F..-2Froot-2F
The payload attempts to read sensitive system files like:
../../../../root/.bashrc
../../../../root/.ssh/id_rsa
../../../../etc/shadow
Using -template- suggests the attacker might be testing a Server-Side Template Injection (SSTI) vulnerability combined with path traversal. For instance, a template engine like Jinja2, Twig, or Freemarker might unsafely concatenate user input into a file path or include statement.
Title: [Insert Title Here]
Introduction:
Path Structure/Context:
Main Content:
Examples and Case Studies:
Best Practices/Tips:
Conclusion:
The -template- prefix indicates this is not a stock, automated worm but a custom or semi-custom scan. Variants include:
Some attackers combine this with null byte injection (%00) to truncate extensions.
Since this payload uses a non-standard encoding (-2F instead of %2F), a simple blacklist for %2F would fail. Final decoded literal path:
-template-