udpate readme

Author: JoyChou93

README.md

@@ -46,6 +46,7 @@ Sort by letter.
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)

README_zh.md

@@ -43,6 +43,7 @@
 - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)
 - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)
 - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)
+- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)

src/main/java/org/joychou/controller/SSTI.java

@@ -15,9 +15,11 @@
 public class SSTI {
 
     /**
-     * SSTI of Java velocity.
-     * Open a calculator in MacOS.
+     * SSTI of Java velocity. The latest Velocity version still has this problem.
+     * Fix method: Avoid to use Velocity.evaluate method.
+     *
      * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22)
+     * Open a calculator in MacOS.
      *
      * @param template exp
      */