POST COPIED FROM https://medium.com/@xvnpw/hacking-spel-part-1-d2ff2825f62a****
This story will explain how to find and exploit SpEL parser in web applications based on Java language.
What is SpEL ? From Spring documentation: The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime.
Where is it used ?
First point is known by issues in past like: CVE-2018–1273, CVE-2017–8046 or CVE-2011–2730. I will not talk about them, I will focus on point number two.
Most common use cases for SpEL that I have seen in web applications:
fun1("some string") ? "text" : fun2("some other string")
T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec
…Any of user input can be part of expression. Also input can be expression as a whole. Those above use cases are good indicators what to look for in web apps. Key words: expression, mapping, dynamic 😃
From you have already see I bet you know what is coming. If developers are using SpEL with user input, we need to create payload with injection. Let’s check one that allow remote code execution (RCE). It was created as part of exploit for CVE-2017–8046.
It consist of 3 parts:
cmd /c dir
. To make it more robust individual characters of command are decoded from numbers.Result of executing it:
Code of intentionally vulnerable web application:
Keep in mind:
cmd /c
and it should work out-of-boxHere is payload to copy:
The other interesting payload is this one:
It’s far less complicated but short and powerful. It’s also not using T(...)
syntax and no constructor is used. It’s just executing methods and accessing properties. I will show in next part why it does matter.
Check more payloads for SpEL in my repository: https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt
That will be all for this part. I have explained what is SpEL API and how to exploit it. In next part I will deep dive into Spring source code to show how exactly it works.