This is a deep playbook for exploiting expression language injection in Java frameworks, covering SpEL in Spring, OGNL in Struts2, and Java EL in JSP/JSF. It walks through sandbox bypasses like `_memberAccess` manipulation, includes CVE-specific exploits like Spring Cloud Gateway's CVE-2022-22947 via actuator abuse, and provides polyglot probes to distinguish between different EL engines. The distinction from SSTI is clear: you're targeting expression evaluators, not template engines, though detection often starts with the same `${7*7}` probe. If you're pentesting Java apps or dealing with legacy Struts2 deployments, this gives you ready-to-use payloads and the methodology to adapt them when sandboxes block the obvious paths.
npx skills add https://github.com/yaklang/hack-skills --skill expression-language-injection