Last updated
Was this helpful?
Last updated
Was this helpful?
EL provides an important mechanism for enabling the presentation layer (web pages) to communicate with the application logic (managed beans).
Spring Framework: Security, Data, …
Any place developers use it by SpEL API
For languages it can be used in Java, Kotlin, Scala, and other JVM based technologies.
The EL is used by several JavaEE technologies, such as JavaServer Faces technology, JavaServer Pages (JSP) technology, and Contexts and Dependency Injection for Java EE (CDI). The EL can also be used in stand-alone environments.
Java applications are easily recognizable as they tend to use extensions as .jsp or .jsf, throw stack errors and use term like "Serverlet" in the headers.
(You can find another interesting tutorial about EL in )
Download from the repository the jar files:
commons-lang3-3.9.jar
spring-core-5.2.1.RELEASE.jar
commons-logging-1.2.jar
spring-expression-5.2.1.RELEASE.jar
And create a the following Main.java
file:
Next compile the code (if you don't have javac
installed, install sudo apt install default-jdk
):
Execute the application with:
Note how in the previous example the term {5*5}
was evaluated.
It consist of 3 parts:
black color — copy result of command execution directly to output stream of HTTP request
red color — get Java Runtime and execute command in system
blue color — String containing command: cmd /c dir
. To make it more robust individual characters of command are decoded from numbers.
Result of executing it:
Burp detection
J2EE detection
Sleep 10 secs
Basic RCE explanation
RCE linux
RCE Windows (not tested)
More RCE
applicationScope
- global application variables
requestScope
- request variables
initParam
- application initialization variables
sessionScope
- session variables
param.X
- param value where X is the name of a http parameter
You will need to cast this variables to String like:
The application can also use custom variables like:
From you have already see I bet you know what is coming. If developers are using SpEL with user input, we need to create payload with injection. Let’s check one that allow remote code execution (RCE). It was created as part of exploit for .