-
Notifications
You must be signed in to change notification settings - Fork 654
/
SpEL.java
64 lines (55 loc) · 2.33 KB
/
SpEL.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package org.joychou.controller;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.SimpleEvaluationContext;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* SpEL Injection.
* @author JoyChou @2019-01-17
*/
@RestController
public class SpEL {
/**
* Use Spel to execute cmd. <p>
* T(java.lang.Runtime).getRuntime().exec("open -a Calculator")
*/
@RequestMapping("/spel/vuln1")
public String spel_vuln1(String value) {
ExpressionParser parser = new SpelExpressionParser();
return parser.parseExpression(value).getValue().toString();
}
/**
* Use Spel to execute cmd. <p>
* #{T(java.lang.Runtime).getRuntime().exec('open -a Calculator')}
* Exploit must add <code>#{}</code> if using TemplateParserContext.
*/
@RequestMapping("spel/vuln2")
public String spel_vuln2(String value) {
StandardEvaluationContext context = new StandardEvaluationContext();
SpelExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression(value, new TemplateParserContext());
Object x = expression.getValue(context); // trigger vulnerability point
return x.toString(); // response
}
/**
* Use SimpleEvaluationContext to fix.
*/
@RequestMapping("spel/sec")
public String spel_sec(String value) {
SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
SpelExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression(value, new TemplateParserContext());
Object x = expression.getValue(context);
return x.toString();
}
public static void main(String[] args) {
ExpressionParser parser = new SpelExpressionParser();
String expression = "1+1";
String result = parser.parseExpression(expression).getValue().toString();
System.out.println(result);
}
}