Tags: reflection web template-injection waf-bypass
Rating:
**Detailed Writeup**
https://fireshellsecurity.team/sekaictf-frog-waf-and-chunky/#challenge-frog-waf-29-solves
**TLDR**
* Use `constraintContext.buildConstraintViolationWithTemplate` for Java Expression Language Injection.
* Use the country error to get the output.
* Bypass the WAF with Java Reflection
* Use `{message}` variable as a string to start from
* Use `{message.getClass().getClass()}` to get Class
* Use array.size to generate numbers.
* Use getMethods from Class, to get Class.forName, to get any Class
* Use getMethods also to build a charmap
* Use getMethods on the other classes to call any method by index
* Compose it until you can call `java.lang.Runtime.getRuntime().exec("bash command")` RCE
