When you hear about injection, perhaps the first thing you think of is SQL injection, but do you know other injection methods?
Let's start with the causes of Web injection. The condition of injection is that the server does not verify the user's input, receives the user's input as part of the correct content, and executes the malicious content inserted by the user, which leads to various problems.
It can be seen that the type of injection is not limited to SQL, but also includes many... In fact, command execution is a type of injection.
In this series, I will tell you about those injection types that you may not know, such as expression injection, which can be divided into EL expression injection, OGNL expression injection, JEXL expression injection, SPEL expression injection, etc.
Another example is SSTI, also known as template injection, JWT injection, HTML injection, DDE injection, CRLF injection (response truncation), LDAP injection, etc.
Among them, some may be initiated by the client to the server, and some may be initiated by the server to the client, and some are mixed in other vulnerabilities to make you confused. This series of articles will take you to understand those "fancy injections" that you may have seen but don't know the type of.
Expression Injection
Expression Language Injection was created by OWASP in 2013, and this type of vulnerability is now also called a remote code execution vulnerability by security personnel. Because expression injection often appears in Java Web, it is also called JWEL injection.
The struts2 series of vulnerabilities we often call is a type of expression injection, also known as OGNL expression injection. Because of its improper handling of OGNL execution functions, remote code execution occurred.
Because of the Java expression tool, developers can easily perform operations such as dynamic assignment. At the same time, because the developer mishandled the user's input, rce was formed, and various expressions were injected. Types of expression injection
EL expression injection
The full name of EL is Expression Language. His grammar is very simple, and the biggest feature is easy to use. At the same time, it is also a built-in language of JSP, used to access the context of the page and objects in different scopes, obtain the value of object properties, or perform simple calculations or judgment operations. His main grammatical structure is as follows: ${sessionScope.company.staff}
The content in "${}" is what we can manipulate. If you follow the previous JSP, you might write it like this:
Company company =(Company)session.getAttribute("company");
String staff =company.getStaff( );
But these are not important, important is that we know the main grammatical structures like the EL, it is also mentioned. "" For and "[]" two kinds of operators to navigation data, such as: ${sessionScope.company["staff"]}
In the end, what are the differences between the two situations, we can refer to this article: cnblogs.com/czs1982/p/3966748.html EL's read access is also very simple. For example, in our example, the company's employee value is obtained from the session range, but when there is no specified range of company employees, it will look for the default value of Page.
If you can't find it, then look for it in the Request, Session, and Application ranges in order. If an employee of the company is found on the way, it will be directly sent back and will not continue to be searched. If it is not found, a blank will be displayed on the page.
At the same time, EL also provides some operators, most of which are commonly used in Java, such as:
Common: "+-* /"
Take the remainder: "% mod"
Relational operators: "==" or "eq", "!=" or "ne", "<" or "lt", ">" or "gt", "<=" or "le", ">=" or "ge "
Logical Operators: "&&" or "and", "||" or "or", "!" or "not"
Then there is the " Empty" operator and the conditional operator " ${ A? B: C}".
Now that it is known that EL injection is a kind of injection, its principle is also externally controllable, causing the attacker to inject malicious expressions to achieve rce. Its general poc is as follows:
//Correspond to the pageContext object in the JSP page (note: the pageContext object is taken) ${pageContext} //Get web path ${pageContext.getSession().getServletContext().getClassLoader().getRe
source("")} //File header parameters ${header} //Get webRoot ${applicationScope} //Executing an order ${pageContext.request.getSession().setAttribute("a",pageContext.reque
st.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("calc").getInputStream())}
But in the test, it is more judged by calculation, addition, subtraction, multiplication, and division, such as " ${7*8}".
Although I know this loophole, I have never dug it... I can only find a few holes in the dark cloud mirror to demonstrate.
groupName=1&papersType=${555-
444}&papersValue=1&baseacct=1&retMsg=1&retCode=1
You can see that there are controllable parameters in the papersType, and the number 111 will appear somewhere on the page after execution. Take an example of SPEL injection (the principle is similar) to show:
Finally, it can be directly executed.
SPEL expression injection
Spring Expression Language is also known as SPEL. As the name suggests, it is a Spring-specific expression language. It not only supports querying and manipulating object graphs at runtime but also provides method calls and basic string template functions, while also allowing it to be integrated into other applications. And in the frame.
SPEL uses " #{...}" as the delimiter. All the characters in the braces will be considered SPEL expressions. We can use operators, variables, and reference beans in them. The properties and methods are as follows: Refer to other objects: " #{car}" ; Refer to the attributes of other objects: " #{car. brand}" ; Call other methods, you can also chain operation: "#{car.toString()}" ; The reference name of the property can also use the " $" symbol such as: "${someProperty}" ; In addition, in SPEL expressions, use " T()". Operators will call the methods and constants of the class scope. For example, the Math class of Java used in SPEL expressions can use the T() operator like the following example:
#{T(java.lang.Math)} The result of the T() operator will return a java. lang.Math class object.
The most commonly used one is actually a pop-up calculator to prove that our attack is successful, such as this code: ExpressionParser parser = new SpelExpressionParser();
Expression exp =parser.parseExpression("T(java.lang.Runtime).getRuntime().exec(\"ope
n/Applications/Calculator.app")");
Object value = exp.getValue();
Call a static method of a class through T(), return a Class Object, and then call the corresponding methods and properties.
We use CVE-2016-4977 to demonstrate.
CVE-2016-4977, Spring Security OAuth is a module that provides security authentication support for the spring framework. When it uses the white label view to handle errors, due to the use of SPEL, attackers can construct malicious parameters for remote command execution. Start our vulhub environment: docker-compose up -d It is controllable at the response_type parameter. Input our expression " ${555-444}" to display our results on the error page.
Through its official poc, base64 encrypt our bash statement to generate the SPEL expression we need:
Monitor our 4444 port, execute our code, we can see that the shell is returned successfully. JEXL expression injection Java Expression Language referred to as JEXL, is a library designed to facilitate the realization of dynamic and scripting functions in applications and frameworks written in Java. It is also an expression language based on some extensions of the JSTL expression language.
The expression also provides some scripting languages, such as the addition, subtraction, multiplication, and division of the previous expression languages. It also provides some module and component configuration, interfaces, and implementation of loose coupling or duck typing, and simple template functions.
…Forget it, as someone who wants to be the strongest script kid in history, why do I know so much? Go directly to talent (borrow vulhub to demonstrate directly): CVE-2019-7238, also known as Nexus Repository Manager 3 remote code execution vulnerability, because this system has a certain amount of use in some large enterprises, it is still useful in actual combat. After research, it is found that the vulnerability is an arbitrary JEXL expression execution vulnerability based on OrientDB custom functions. Since JEXL expression can execute JAVA code without security restrictions, it is indirectly a remote code vulnerability.
Specific analysis can refer to: xz.aliyun.com/t/4136 anquanke.com/post/id/171116 Log in to the background and upload a jar package. The triggering condition of this vulnerability is that there must be a jar package in the warehouse.
Summarize
Expression injection is the external manifestation of command execution in many cases. Some of them are injections that we often say but do not know why they are caused. For example, the OGNL expression language of the struts2 framework, which is sometimes used in testing. This situation occurs.
When jumping parameters appear, we should consider expression injection. If you can use this loophole to calculate addition, subtraction, multiplication, and division, wouldn't it be more fragrant than a calculator?
Sometimes, we don’t need to enter " ${}", and we can add and subtract directly after the parameter. But sometimes we need to add " ${}", which requires bounty hunters to judge by themselves.
Of course, there are more gestures, such as bypassing WAF. These new postures need to be discovered slowly by the boss. As a tool collector, I am waiting for the boss's exp.
Reference Article
Finally, put some reference articles, you can learn and use by yourself. In next Wednesday's update, we will talk about DDE injection and HTML injection, and there will be no breaks! xz.aliyun.com/t/7692#toc-0 aluvion.gitee.io/2019/04/25/Java%E7%89%B9%E.. commons.apache.org/proper/commons-jexl blog.csdn.net/weixin_42382121/article/detai.. github.com/vulhub/vulhub/tree/master/jackso..