We were able to login and edit product descriptions of the products :
We were able to edit the template of the product description :
We edited the ${product.stock} to ${7*7} and was able to get the result as 49 meaning that this is vulnerable to SSTI (Server-Side Template Injection)
We entered the payload as hehe now and was received an error message. We were able to see that this webpage uses Fremaker templating Engine :
We researched again and was able to find these payload in Hacktricks :
We were able to use the payload ${"freemarker.template.utility.Execute"?new()("id")"} and execute commands on the server :
We were able to remove the morales.txt file using the payload, thus solve the lab :
