n1nj4sec

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

Keybase proof

I hereby claim:

I am n1nj4sec on github.
I am n1nj4sec (https://keybase.io/n1nj4sec) on keybase.
I have a public key ASDpWv_5VQ_kN-xV-gM3EZx76oA9Fb2P1o8dp77o6x5D2Qo

To claim this, I am signing this object:

	#!/bin/bash

	extractOsXUserHash() {
	xmlOfUsertPlist="$( \
	plutil -convert xml1 - -o - \
	)"
	if [ -z "$xmlOfUsertPlist" ] ; then \
	1>&2 echo "No input detected"
	exit 127
	fi

	#!/usr/bin/env python
	# -- coding: UTF8 --

	import sys
	import struct
	import pylzma

	if __name__=="__main__":
	data=b""
	found=False