coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
37d2ecc535
hacktricks/pentesting/pentesting-web/spel-spring-expression-language.md
CPol 08e6af3504
GitBook: [master] 354 pages modified
2020-07-29 09:22:22 +00:00

3.7 KiB
Raw Blame History

SpEL - Spring Expression Language

POST COPIED FROM https://medium.com/@xvnpw/hacking-spel-part-1-d2ff2825f62a****

This story will explain how to find and exploit SpEL parser in web applications based on Java language.

What is SpEL ? From Spring documentation: The Spring Expression Language SpEL for short is a powerful expression language that supports querying and manipulating an object graph at runtime.

Where is it used ?

  1. Spring Framework: Security, Data, …
  2. Any place developers use it by SpEL API
  3. For languages it can be used in Java, Kotlin, Scala, and other JVM based technologies.

First point is known by issues in past like: CVE-20181273, CVE-20178046 or CVE-20112730. I will not talk about them, I will focus on point number two.

SpEL API

Most common use cases for SpEL that I have seen in web applications:

  • complex expressions using custom function calls: fun1("some string") ? "text" : fun2("some other string")
  • dynamic code evaluation: T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec

Any of user input can be part of expression. Also input can be expression as a whole. Those above use cases are good indicators what to look for in web apps. Key words: expression, mapping, dynamic 😃

Payloads

From you have already see I bet you know what is coming. If developers are using SpEL with user input, we need to create payload with injection. Lets check one that allow remote code execution RCE. It was created as part of exploit for CVE-20178046.Image for post

Image for post

It consist of 3 parts:

  • black color — copy result of command execution directly to output stream of HTTP request
  • red color — get Java Runtime and execute command in system
  • blue color — String containing command: cmd /c dir. To make it more robust individual characters of command are decoded from numbers.

Result of executing it:

Image for post

Image for post

Code of intentionally vulnerable web application:

Keep in mind:

  • payload is working in some of Blind scenarios — always copy result to HTTP response
  • can be tune to work on Linux — just remove cmd /c and it should work out-of-box
  • in real world you will need probably first break out of string to inject this or do other tricks that are common for injection attacks
  • it can be used with multiple versions of String Framework and Java

Here is payload to copy:

The other interesting payload is this one:Image for post

Image for post

Its far less complicated but short and powerful. Its also not using T(...) syntax and no constructor is used. Its just executing methods and accessing properties. I will show in next part why it does matter.

Check more payloads for SpEL in my repository: https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt

Summary

That will be all for this part. I have explained what is SpEL API and how to exploit it. In next part I will deep dive into Spring source code to show how exactly it works.