LittleWing XTeam-Wing

## FreeMarker_SSTI_tricks.md

      
              1 file
            
          
              5 forks
            
          
                0 comments
              
            
              15 stars
            
          
                n1nj4sec
                / FreeMarker_SSTI_tricks.md
            
            
              Created
              December 18, 2024 20:10
            
              
                FreeMarker SSTI tricks
              
          
    What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)
The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version.
So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.
This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else
get versions


## report.py
import poe, sys

client = poe.Client("<POE_API_KEY_HERE>")
title=sys.argv[1]
path=sys.argv[2]
more=""
if len(sys.argv) > 3:
  more="\" and here is more information: "+sys.argv[3]

message="""generate a bug bounty report for me (hackerone.com), the title of the bug is """+title+""" and the vulnerability path is \""""+path+more+"""

## 20211210-TLP-WHITE_LOG4J.md

      
              1 file
            
          
              94 forks
            
          
                907 comments
              
            
              1085 stars
            
          
                SwitHak
                / 20211210-TLP-WHITE_LOG4J.md
            
            
              Last active
              October 14, 2025 08:35
            
              
                BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC
              
          
    Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
Errors, typos, something to say ?


If you want to add a link, comment or send it to me
Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources


Royce Williams list sorted by vendors responses Royce List
Very detailed list NCSC-NL
The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List


## PoC_CVE-2021–31474.json
POST /api/Action/TestAction HTTP/1.1
Host: <target>
Content-Length: 3978
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: <token>
X-Requested-With: XMLHttpRequest
ViewLimitationID: 0
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Cookie: <cookie>

## DnsTunnel.cs
using System;
using System.Net.Sockets;
using System.Net;

namespace DnsTunnel
{
    class Program
    {
        static void OpenTunnel(int listenerPort, string targetHost, int targetPort)
        {

## wmicLateralMovement.txt
As always, only for use on networks you own or have permission to test against.

Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps.  However, for one-offs this works fine as well.

The process involves a total of four commands, three of which can be combined on the command line to form one large block.

Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
    wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName

## Invoke-Procdump.ps1
$Source = @"
using System;
using System.Runtime.InteropServices;

namespace ProcDump {
    public static class DbgHelp {
        [DllImport("Dbghelp.dll")]
        public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
    }
}

## loadPcap.py
#!/usr/bin/env python3
from scapy.all import *
from py2neo import Graph, Node, Relationship

packets = rdpcap("<your_pcap_file>")
g = Graph(password="<your_neo4j_password>")


for packet in packets.sessions():
    pkt = packet.split()

## PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007

## android-burp-cert.sh
# https://securitychops.com/2019/08/31/dev/random/one-liner-to-install-burp-cacert-into-android.html
#
curl --proxy http://127.0.0.1:8080 -o cacert.der http://burp/cert  \
&& openssl x509 -inform DER -in cacert.der -out cacert.pem \
&& cp cacert.der $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0 \
&& adb root \
&& adb remount \
&& adb push $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0 /sdcard/ \
&& echo -n "mv /sdcard/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0 /system/etc/security/cacerts/" | adb shell \
&& echo -n "chmod 644 /system/etc/security/cacerts/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0" | adb shell \
	import poe, sys

	client = poe.Client("<POE_API_KEY_HERE>")
	title=sys.argv[1]
	path=sys.argv[2]
	more=""
	if len(sys.argv) > 3:
	more="\" and here is more information: "+sys.argv[3]

	message="""generate a bug bounty report for me (hackerone.com), the title of the bug is """+title+""" and the vulnerability path is \""""+path+more+"""
	POST /api/Action/TestAction HTTP/1.1
	Host: <target>
	Content-Length: 3978
	Accept: application/json, text/javascript, /; q=0.01
	X-XSRF-TOKEN: <token>
	X-Requested-With: XMLHttpRequest
	ViewLimitationID: 0
	User-Agent: Mozilla/5.0
	Content-Type: application/json; charset=UTF-8
	Cookie: <cookie>
	using System;
	using System.Net.Sockets;
	using System.Net;

	namespace DnsTunnel
	{
	class Program
	{
	static void OpenTunnel(int listenerPort, string targetHost, int targetPort)
	{
	As always, only for use on networks you own or have permission to test against.

	Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
	If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.

	The process involves a total of four commands, three of which can be combined on the command line to form one large block.

	Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
	wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName
	$Source = @"
	using System;
	using System.Runtime.InteropServices;

	namespace ProcDump {
	public static class DbgHelp {
	[DllImport("Dbghelp.dll")]
	public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
	}
	}
	#!/usr/bin/env python3
	from scapy.all import *
	from py2neo import Graph, Node, Relationship

	packets = rdpcap("<your_pcap_file>")
	g = Graph(password="<your_neo4j_password>")


	for packet in packets.sessions():
	pkt = packet.split()
	' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
	' by @_xpn_
	'
	' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

	Const EXTENDED_STARTUPINFO_PRESENT = &H80000
	Const HEAP_ZERO_MEMORY = &H8&
	Const SW_HIDE = &H0&
	Const MAX_PATH = 260
	Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
	# https://securitychops.com/2019/08/31/dev/random/one-liner-to-install-burp-cacert-into-android.html
	#
	curl --proxy http://127.0.0.1:8080 -o cacert.der http://burp/cert \
	&& openssl x509 -inform DER -in cacert.der -out cacert.pem \
	&& cp cacert.der $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 \
	&& adb root \
	&& adb remount \
	&& adb push $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 /sdcard/ \
	&& echo -n "mv /sdcard/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 /system/etc/security/cacerts/" \| adb shell \
	&& echo -n "chmod 644 /system/etc/security/cacerts/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0" \| adb shell \