I'm currently on a pentest and I've come across a URL parameter which is vulnerable to Expression Language (EL) injection and I can prove that by accessing properties such as ${pageContext}.
However, it appears that I have access to Java object properties but I'm not able to call methods. I know people have been able to do this but it seems that whenever I insert parentheses the application prevents the Java execution.
Is there anything that I am obviously missing or any ideas how I can overcome this issue?
Sample of payloads that I have tried:
${pageContext.servletContext.serverInfo} - Works
${requestScope[%27javax.servlet.forward.servlet_path%27]} - Works
${param.foo} - Works
${param.foo.toUpper()} - Fails